VMware Cloud Well-Architected Framework for VMware Cloud on AWS: Infrastructure and Application Observability and Services
Infrastructure and Application Assessment and Native Services
When planning a cloud migration, it is critical to understand the various infrastructure services that are in use in the current environment and how those services will be consumed and/or rearchitected for use in the cloud. Infrastructure services are those critical functions on which all other workloads depend upon, examples include DNS, DHCP, NTP, Active Directory/directory services, Syslog receivers, and monitoring solutions.
Planning for Infrastructure Services in the Cloud
Planning for infrastructure services is dependent on the location of the running workloads, with a recommendation of placing services in close proximity. In a hybrid cloud environment, where a mix of on-premises and VMware Cloud based workloads exist, organizations may run some or all infrastructure services from their on-premises datacenter and extend these services to VMware Cloud-based workloads.
For organizations planning on exclusively running within a VMware Cloud SDDC, where an on-premises datacenter is no longer available, cloud-native infrastructure services is needed primarily to facilitate these core services. The use of multi-cloud can also add additional challenges, such as using multiple similar services across various infrastructure service providers or simply extending infrastructure services from an on-premises datacenter to a VMware Cloud-based environment. Security and access policies can also play a large role in the architecture of infrastructure services; hence it is essential to include your security team in the planning phase.
Retain Infrastructure Services Locally
There are good reasons to keep some infrastructure services running in an on-premises environment. If there are existing DDI (DNS, DHCP, and IPAM) solutions, organizations may want to continue to leverage their existing investment. There may also be security and compliance requirements that mandate infrastructure services continue to run in an on-premises location. Workload placement and data gravity can also affect the placement of infrastructure services, not just in the near term but also in the desired future state.
For common networking services such as DHCP and DNS, organizations can take advantage of VMware NSX networking capabilities included in a VMware Cloud SDDC. VMware NSX can forward both DHCP requests and DNS queries from a VMware Cloud SDDC to an organization’s data center, allowing these services to remain on-premises. Similarly, Syslog data can be forwarded to an on-premises syslog receiver environment.
An important consideration before configuring infrastructure services is the transmission of data. Note that the amount of data being transferred from a VMware Cloud SDDC is the cost of egress traffic. Costs can vary per region as well as Infrastructure Services Provider. Without proper planning, egress traffic fees can be unpredictable and contribute to an organization’s bill. It is important to understand the utilization for existing infrastructure services and accurately forecast egress utilization and plan accordingly.
When retaining infrastructure services in an on-premises environment, it Is essential to review any new or additional requirements before providing these services to an organization’s VMware Cloud SDDC. Testing, documentation, and a security review are highly recommended before exposing a service to VMware Cloud based workloads.
Migrate to Cloud-Native Services
As an organization transitions to a VMware Cloud-based SDDC, they should assess and evaluate the benefits of cloud-native infrastructure service options including their SLAs. An assessment must be made of an organization’s on-premises infrastructure services based on criteria such as manageability, availability, and total cost of ownership (TCO) which outweighs the benefits of a managed cloud-native service.
Automation and Application Programing Interfaces (APIs) are also a first-class citizen for many cloud-native infrastructure services. This enables an organization to leverage modern automation and Infrastructure as code tools to create and request new resources in the cloud in a much shorter period of time, as opposed to the weeks and months required to build traditional data centers. The combination of VMware Cloud and the ability to automate cloud-native infrastructure services can deliver a true Software-Defined Datacenter.
Another benefit to cloud-native infrastructure services is the level of availability that is offered, health monitoring, and scalability as a managed service. For undifferentiated infrastructure services, organizations can leverage cloud-native infrastructure services, which are priced based on consumption. It is important to have understand the utilization of existing infrastructure services before migrating them to a cloud-native service. Most infrastructure services providers offer tools to help predict the estimated cost of consuming their services. To proactively monitor and prevent unexpected costs, billing alerts and notifications should be configured.
Multi-Cloud can also present a unique challenge when determining an organization’s strategy for consuming infrastructure services. For example, if an organization plans to extend their existing on-premises infrastructure services to multiple infrastructure service providers, different types of connectivity must be configured and managed, which can bring additional complexities from an operational standpoint. In contrast, organizations may consume cloud-native infrastructure services from individual infrastructure service providers, which can also bring its own complexity as each solution will require unique skillsets to configure and manage.
Centralized/Shared Infrastructure Services
An alternative design for organizations that have a need to manage and control access to infrastructure services from a centralized location can be to leverage a shared infrastructure services model. This implementation will result in one or more VMware Cloud-based SDDC terminating into a single and centralized infrastructure service endpoint. The configuration of network and security policies can now easily be managed and operated with all ingress and egress traffic terminating to this endpoint. This design can be applicable to both cloud-native services as well as infrastructure services running within an on-premises data center.
Figure 1: Centralized/shared infrastructure services
Assessing Existing Infrastructure Services
An organization should first identify and assess all on-premises services that can be classified as an infrastructure service. During the assessment, an analysis should be performed that includes the health, scale and configuration as an example to determine if the existing infrastructure service can support workloads running in a VMware Cloud SDDC. If an existing infrastructure service is deemed insufficient, then an organization should strongly consider rearchitecting the service or replacing it with a cloud-native service.
Upon completing the assessment, an organization can determine whether a given service should be replaced with a cloud-native service, assuming a feasible alternative exists. Common services such as DHCP and DNS are generally available in all infrastructure service providers, other services must be evaluated based on its utilization, criticality, and cost as an example to determine the best available option.
There are many tools and methodologies for cataloging and assessing your existing environment. Internal documentation can provide an initial understanding of how existing infrastructure services are configured and managed. Monitoring can be another source of information, especially if they are monitoring the utilization and health of specific infrastructure services (e.g., the number of DNS queries per second). With the availability of metrics, an organization can appropriately forecast infrastructure service utilization and cost.
NetFlow data can also provide insights into the different protocols running within an organization’s network. Example traffic types can include DNS, DHCP, NTP, Syslog, authentication, and client/server communication. NetFlow data can also be used to understand application and service dependency mapping, which will assist in migrating workloads to a VMware Cloud SDDC.
Note: VMware vRealize Network Insight (vRNI) can be used to analyze network traffic to help understand the different types of applications and/or services running within an organizations network.
Securing Infrastructure Services
Each infrastructure service has its own security and best practices. These should continue to be followed when migrating to VMware Cloud, but also in evaluating any update and new security capabilities. When operating in a hybrid cloud model, it is important to assess existing firewall rules and access control lists to determine if additional or new configurations are required for connectivity to and/from an on-premises environment.
Cloud-native services also have their own security and best practices. Infrastructure service providers also offer network-based access-control lists (ACLs) and granular role-based access control (RBAC) for their services and in some cases, the ability to control access down to an individual API call. Most infrastructure services will have predefined roles, which typical map to different personas within an organization. Organizations should also assess the different personas that will be managing the infrastructure services as well as the workloads that will be consuming these services. Using this information, fine grain access control and least privilege accounts should be implemented. Audit logs can be configured to track all changes and access to infrastructure services for both compliance and troubleshooting purposes.
Authentication and Directory Services
Each infrastructure service provider will have a solution for managing authentication, users, and permissions which includes the ability to federate authentication with any SAML2-based identify provider. For organizations that have a need for identify federation, additional planning and technical analysis is required before selecting a specific infrastructure service provider.
Similar to other infrastructure services, an organization must decide if they want to operate their own directory service or consume it as a managed service. Depending on the requirements for an organization’s directory service, which may include security and compliance regulations, a managed directory service could be an option. Organizations subject to PCI, HIPAA, or other regulations will have to take this into account. Many infrastructure service providers provide yearly audits to attest to PCI or HIPAA compliance, among a range of other standards and compliance frameworks, organizations should verify the selected infrastructure service provider has all required certifications.
As organizations makes their transition to a VMware Cloud based environment, there is an opportunity to re-evaluate their strategy for infrastructure services. For undifferentiated infrastructure services, organizations can simplify their infrastructure management and operations by considering cloud-native services.