RSS

Hyper-divergence and Datrium (@DatriumStorage)

This monday I had briefing with Datrium. They have a tag line of “Open Convergence”. I was grasping for a snappy title for this post as lead into writing about what they do. As ever my contrarian brain hit about the opposite of convergence which is divergence. I kind of like “hyper-divergence” because for me in away it describes the fact that despite the massive growth in the “hyper-convergence” marketplace – there persist radically different approaches to “getting there”. Both in the method of consumption (build your own VSAN Vs the ‘appliance’ model) and also the architecture (shared storage accessible directly from a hypervisor kernel (VSAN), a “controller” VM which shares out the storage back to the hypervisor (Nutanix)). I think Datrium and the recently announced NetApp HCI are delivering yet more options on both the consumptions/architecture front.

Read the rest of this entry »

 

Posted by on June 21, 2017 in HCI, vSphere

Comments Off on Hyper-divergence and Datrium (@DatriumStorage)

Updated: Check out Neil Anderson’s (@flackboxtv) “How to Build a NetApp ONTAP 9 Lab

68mwgl0y_400x400
Neil Anderson has been in touch to again to let me know that he’s produced a NEW extensive guide to building a complete vSphere Lab with NetApp ONTAP 9 as the backend. So its essentially a free eBook to cover the new version. Neil is kinda tooting his own horn but he’s confident my book blows the NetApp setup guide out of the water – He’s got full step by step instructions with screenshots about how to build a fully networked two cluster lab with Windows and Linux clients. I’ve taken a quick gander and I can tell its a quality ‘product’ that might have once found a home on my old “RTFM Education” site from the good old days!

Readers can download it from Neils blog (it’s free of course) and the goal is to help people get their first hands-on look at the new OS

It’s downloadable from http://www.flackbox.com/netapp-simulator/

If you interested with connecting to Neil here’s followable (is that word now?) on twitter here: https://twitter.com/flackboxtv

 

Posted by on June 16, 2017 in Announcements

Comments Off on Updated: Check out Neil Anderson’s (@flackboxtv) “How to Build a NetApp ONTAP 9 Lab

Amazon AWS: To NAT or not to NAT, That is the Question

Yes, I know. When Hamlet holds the skull… It’s not the “To be or not to be” speech… but the one about Yorick. 🙂

Acknowledgment:

I’d like to thank Tim Hynes for reviewing this blog post and giving me valuable feedback. Tim is a fellow vExpert, he is @railroadmanuk on twitter and blogs at http://virtualbrakeman.wordpress.com/

The Conceptual Stuff

I was curious about Amazon options to use NAT inside the VPC construct, so I decide to do some research about its merits. Before I delve into the practicalities – here’s the whys and wherefores.

Amazon recommend a NAT configuration if you have Internet facing web-servers, with backend servers that they communicate to. That statement shows how much the AWS geared around “Web Services”, although it’s fair to say that most applications these days have web-based front-end, with an application server/database server back-end. The alternative to this NAT configuration is to merely have public/private subnets protected with Security Groups – with no NAT. In this setup a heavily secured “jumpbox” or “bastion” instance is used as the access point for those environments – this would be a very typical setup for a test/dev environment where only developers need access to whatever Amazon AWS is hosting…

To get a NAT system up and running you have two main options:

  • “NAT Instance” – The NAT runs as just another instance amongst your other instances. You can use a number of different sized instances provided by Amazon.
  • “NAT Gateway” – This service is configured in the VPC, and has features such as high availability, higher bandwidth capabilities, and less administrative overhead (this method is recommended by Amazon).

I found the NAT Instance method is very easy to setup, and the VPC wizard does a good job updating the VPC “Routing Tables” in order to make sure traffic flows in the right directions. You do however, have to update the Security Groups around the “NAT Instance” to allow it to send and receive traffic – just like any other instance really.

The NAT Gateway method is a tiny bit trickier to setup, and critically is not a Freeium service (remember neither is the NAT Instance really). With the NAT Gateway as you create it you associate it with one of the public subnets inside a VPC, and assign an Elastic IP to it. You do have to manually update the routing tables for the affected (or should that be afflicted?) subnets before traffic flows. The easiest thing is to setup the VPC first, so you can then attach the NAT Gateway to the appropriate public subnet. There are other ways (in terms of order of the process) to do this, but I found this easiest way and the most logical for my brain to wrap its head round. The NAT Gateway is created within a particular “Availability Zone” (AZ) and is implemented with redundancy in mind. And I think it’s for this reason that Amazon recommends it. The NAT Gateways availability is set by which Public Subnet its associated with – so it is possible to create more than one NAT Gateway associated with multiple public subnets in different AZ’s. This web page contains this statement:

“If you have resources in multiple Availability Zones and they share one NAT gateway, in the event that the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose Internet access. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.”

And here’s some other nuggets and facts worth highlighting:

  • A NAT Gateway supports 10Gbps of bandwidth;
  • You can’t swap out an elastic IP to an existing NAT Gateway – you have to destroy and re-create it to change the IP
  • Although you can’t wrap a Security Group around NAT Gateway, it does support network ACLs to restrict the traffic it will pass
  • Finally, NAT Gateway’s cannot be used with EC2 Classic-Link. However, this is really a legacy issue and would only impact on customers who have been using Amazon AWS for sometime.

The Practical Stuff

Read the rest of this entry »

 

Posted by on June 9, 2017 in Amazon

Comments Off on Amazon AWS: To NAT or not to NAT, That is the Question

VMware vRealise Operations – What’s New

Last week I was fortunate enough to be briefed by VMware on there new “Intelligent Operations” offering, and given a view of what’s new, and the rationale about the changes. The changes are spread amongst the vRealise suite/portfolio of products including:

  • vRealise Operation 6.6
  • vRealise Log Insight 4.5
  • vRealise Business of Cloud 7.3 (Standard Edition)
  • vRealise Network Insight 3.4 (Actually, isn’t included as part of the vRealise/vCloud Suite)

Highlights: vRealise Operations 6.6

Read the rest of this entry »

 

Posted by on June 6, 2017 in vCOPS

Comments Off on VMware vRealise Operations – What’s New

Reading the Runes with Runecast Analyzer

A runestone is typically a raised stone with a runic inscription, but the term can also be applied to inscriptions on boulders and on bedrock. The tradition began in the 4th century and lasted into the 12th century, but most of the runestones date from the late Viking Age. Most runestones are located in Scandinavia, but there are also scattered runestones in locations that were visited by Norsemen during the Viking Age. Runestones are often memorials to dead men. Runestones were usually brightly coloured when erected, though this is no longer evident as the colour has worn off.

https://en.wikipedia.org/wiki/Runestone

Introduction:

This week I was fortunate to have a briefing with Stan Markov (VCDX #74 and VCI), the CEO of Runecast. In case you don’t know Runecast Analyzer is a tool that gathers info from your vSphere environment and compares it to the VMware KB, Best Practices and the Security Hardening guide. The idea is it makes you proactively act on what it discovers to reduce the time spent reactively acting to events as they happening – in that typical “firefighting manner”.

Typically, we are so busy in the IT world we tend to respond to situations as they arise, and hope that by following design best practice we reduce these events to a minimum. In recent years a number of software vendors have been developing tools to break this cycle of behavior. Despite bold attempts to “automate all the things”, you’d be surprised how many people still are using a combination of Excel spreadsheets and Googling to both keep a track of changes, or respond to new issues as VMware finds them. And, of course, those pesky things called “default settings” that often are left as is, and never reviewed.

When the poop hits the fan such admins are forced into “Cutting and Pasting” cryptic log entries into Google, in the hope that a narrowly defined string will reduce the long list of false positives – it’s become a skill in it’s own right, scrolling through search results and translating the verbiage of KB articles to see if it answers your problem. And I can speak of situations first hand where I’ve had to “stitch together” KB articles to fix an issue. It’s this sort of first-hand pain that the folks at Runecast are addressing.

I was given an NFR license for a year (thank you) and spent yesterday getting my lab environment up and running to ingest their offer. I spent most my time making the lab work again replacing my expired vSphere license! The Runecast Analyzer appliance (in a OVF format) took less time to setup, than it did to download. I pointed at it my vCenter and I was up and running.

Note: As with any lab based evaluation I used my administrator@vsphere.local account. Runecast say a read-only account will cover about 90% of the analysis, but there are some higher-level privileges required to collect 100% of the data needed.

As you might gather with the lab being down for more than a year, it’s not been patched in ages, and also I’ve never bothered with any security hardening. So my results will not be reflective of most production environments (or will it?). As you’ve probably gathered, Runecast Analyzer is an on-premises appliance, and although it pulls data down from Runecast Central Repository, which in turn keeps a track on the VMware KB, nothing is pushed out of your environment. Runecast Analyzer does support offline patch-management for those people who require an air gap between themselves and the outside world for compliance purposes.

Read the rest of this entry »

 

Posted by on June 2, 2017 in vSphere

Comments Off on Reading the Runes with Runecast Analyzer

Amazon AWS and VPC Peering Connections

VPC Peering is the way that two VPC’s with distinct CIDR spaces within the same REGION can be linked together. Whether you actually need to do this could be moot – but I can imagine a scenario where each VPC were different companies within in a holding group, or else you were using VPC’s on a departmental basis. You could still maintain separate “root” accounts for billing purposes, as VPC peering can be setup with multiple “root” AWS user accounts. For legal reasons the VPC’s might need to be separated, but they maybe “natural synergies” between companies within the same group or between departments where communication is desirable or needed.

Aside: You should normally be VERY worried when management uses the term “natural synergies”, as it is term that normally suggests two companies merging and job redundancies. Such are the euphemisms of modern employee relations!

Note: I found this Rackspace article useful especially as it outlined some of the limits around using VPC connections and some of the pitfalls of excessive VPC and VPC Peer Connections – https://blog.rackspace.com/vpc-peering-architecture-use-cases-guidance

There are two main “rules” around VPC Peer Connection in Amazon AWS. Firstly, The two VPC’s to be connected together must have own unique CIDR. It’s not possible to VPC Peer a VPC where they both have the same CIDR such as 10.0.x.y/16. Secondly, the VPC can be managed by the SAME Amazon “root” account or as I said a moment ago – DIFFERENT Amazon “root” accounts. If it different accounts the later then the two “root” administrators of the VPC’s would have to work together as credentials are needed on both sides.

I see this as being a lot like the “trust” relationships we used to make manually in the not so good old days of Windows NT4 (God, how that ages me!). However, if you of my generation you might remember that before “Active Directory” those trust relationships were not transitive. So just because VPC1 connects to VCP2 and VCP2 connects to VCP3, it does NOT follow that VCP1 can communicate to VCP3. So the VCP Peering Connections do not flow from one VPC seamlessly to another.

The VPC Peering wizard creates a “PCX” target that can be referenced in the routing tables to allow communication to pass from one VCP to another. When using the VCP wizard one side of the relationship between the VCP acts as the “Requester”, and the opposite side acts as the “Acceptor”. The communication is automatically two-way so there’s no need to create the VPC Peering Connection twice. If you making the VCP Peering Connection between two VCP under the SAME Amazon “root” account you merely select two different VPCs – as you are both the “requestor” and “acceptor” at the same time.

So in the screen grab below the “Requestor” is my VCP called “Prod” using 10.0.x.y./16 as the CIDR, and the “Acceptor” is my VCP called “Dev” with the CIDR of 10.1.x.y/16. The fields are completed by merely browsing the VPC metadata queried using the currently used “root” account.

Read the rest of this entry »

 

Posted by on June 1, 2017 in Amazon

Comments Off on Amazon AWS and VPC Peering Connections

We’re off to see the Wizard, the Wonderful Wizard of AWS

Note: Just to say this title is meant to be a humorous and silly pun. I actually think the Amazon wizards in the main are pretty good, and in fact pretty invaluable.

Acknowledgement: I’d like to thank vExpert, Jame Kilby for reviewing this blog post prior to publication. You can follow James on twitter at https://twitter.com/jameskilbynet and he blogs at https://www.jameskilby.co.uk/

In my previous blog post I was writing about how important planning stuff upfront in any cloud environment is. Not just because this is a good practice in system design, but because so many cloud environments are resistant to the kind of arbitrary ad-hoc SysAdmin changes, that could be so easily done to fix problem in an on-premises virtualization platform. In this post I’m turning my attention to something less high-fluting and more down in the weeds.

When I was working my through the PluralSight SysOps Admin training I was following the demo’s with my Amazon AWS Console open. Mainly playing “spot the differences”. Let me make something clear – the Pluralsight training is pretty good and an excellent foundation to getting stuck in and learning more. I believe it’s going to get harder and harder to keep ALL training materials up to date and current. Cloud environments are almost naturally more “agile” (hateful word – sorry I have thing against the way our industry brutalizes my native tongue). This means it’s really hard for training materials and guides to keep track. It’s partly the reason I’ve abandoned the whole step-by-step tutorials that I did in the past. I will leave that work to the big boys – like Amazon/Microsoft/Google as they have for more resources and time. But my plan was always to go back through my notes on the course (48 pages!) to both revises what I learned; inspire new blogging content – but also go back a research those differences I’d noted. I didn’t do that there and then whilst the video rolled. It would have slowed up my pace of the training. But now I feel I have the time to check those out.

To whit. Once thing I notice is when you create a VPC in Amazon AWS using the wizard you get some new options that the Pluralsight videos didn’t dwell or mention. Incidentally, as a rule I despise wizards, however in the context of Amazon AWS I would recommend them. They often automate many tasks, and thus meet certain dependencies – and speed up the process of setup (unless you decide to go down the scripting route). I think the key with the Amazon AWS wizard is understanding exactly what is being automated, and where those settings reside. This reduces the feeling that it’s the “Wizard of Oz” pulling strings behind a curtain, with you being clueless on what he’s up to. The other thing I would recommend is that if they’re 4 different routes through a wizard – go through it four times. The best way to learn a technology is to expose your self to the reality, rather than the theory. When I was an Microsoft Certified Trainer in the ‘90s, there was an awful lot of “you can do this configuration” but then it was never gone through. One way I expanded my knowledge at the time was actually trying these “theoretical configurations” – you certainly learned that often you can do something, its often comes with major dental work, to replace all the teeth you lost putting it together…

So… less pre-amble, more amble. Here’s a screengrab of the VPC wizard from PluralSight…

Read the rest of this entry »

 

Posted by on May 30, 2017 in Amazon

Comments Off on We’re off to see the Wizard, the Wonderful Wizard of AWS

Amazon AWS Summit – London, ExCel – 28th June

I’ve bitten the bullet and decided to attend the Amazon AWS Summit in London on the 28th June. Both the London VMUG and this event are for “FREE” the only cost is getting there and back. I’ve spent the money on the train ticket and that pretty much commits me to going! It’s funny with free events – your commitment can vary depending on the mood. But once you put money down it rather clarifies the situation!

If you live in London I guess these events are ‘easier’ to do from a financial perspective, its more whether you have the time to do them. There’s precious little in terms of agenda – but I hope it will be technical and learning oriented and less on the old marketing side. The key note looks mercifully short – so know 2.5hrs sat on your button with you mind being numbed – just 1hr of being sat on your butt with your mind numbed.

I”M JOKING!

https://aws.amazon.com/summits/london/

 

Posted by on May 23, 2017 in Amazon

Comments Off on Amazon AWS Summit – London, ExCel – 28th June

LONDON VMUG – JUNE 22ND 2017

Well, I’m all registered for my first VMUG in aaaaaages. It will be good opportunity to network and catch-up with all my fellow vMUGGERS as I like to call them!

Its literally being a “yonks” since I was active in the community. A yonk being measure of time that starts with a career break, and ends when you return. Of particular note – Frank Dennenman will be presenting on the subject of VMware on Amazon. A topic that intrigues me greatly since I’ve been dabbling with Amazon recently as away of getting the little grey IT braincells working again.

Also worthy of note, my pal Julian Wood will presenting on the subject of “Can I order some servers for my serverless, please”. You can relie on Julian for good dosh of “wake up and smell the vBacon”. So I will relish that session.

There’s vBeers, and without sponsors we all know they’d be no vBeers. Just kiddin’ ya 🙂

It’s the usual suspect, but two new vendors who have never previous crossed by radar before…. So Alain Geenrits, Solutions Architect, EMEA for Bluemedora will be there, as will SIOS…

Now all I have to do is sort my training ticket out to get there… Book early to avoid disappointment!

Register here!

 

Posted by on May 23, 2017 in VMUG

Comments Off on LONDON VMUG – JUNE 22ND 2017

Amazon AWS and Ch-Ch-Ch-Changes

Acknowledgement: I’d like to thank fellow vExpert, Ed Grigson for proofing this and giving me valuable feedback. Help inspire a better conclusion than this piece originally had. You can find Ed’ own blog here, and he also tweets!

http://www.vexperienced.co.uk

https://twitter.com/egrigson

One thing I’ve learned pretty quickly using Amazon AWS, whilst following the PluralSight SysOps Admin course, is how resistant to changes the platform is. Now, this shouldn’t really come to a surprise to anyone who has interfaced with a virtualization layer, as mediated through a cloud UI. As I’ve said in previous posts – the layer of abstraction added by cloud means a great deal of the knobs and buttons you’re used to as a virtualization admin are by necessity redacted and not exposed. Remember, you’re meant to be the Little Happy Consumers of the Cloud now.

We’re all used to the experience where “dependencies” between one service or object prevents our arbitrary and ad-hoc administration changes which haven’t properly thought through. So it becomes impossible to change the “D” setting because of restrictions upstream in A, B, and C or without it affecting downstream dependencies in E, F, and G. I can pretty much live with this – although that does mean you do REALLY, REALLY need to think things through before you start creating stuff.

This is why I think a cloud architect is probably more valuable or useful to an organization than a SysOps Admin. However, I think where you learn the consequence of not architecting or pre-planning your development is leaping in as a SysOps Admin creating/changing stuff and then having to deal with the often painful consequences. Often the best lessons are learnt the hard way after all.

What I would say is this is a serious consideration often extends itself to even some of the most trivial of admin tasks which you would assume would be unrestricted. I don’t intend this as a criticism of Amazon AWS as such, but an observation that much public and private cloud solutions behave in precisely the same way, but some are more “restrictive” about this than others. For instance:

Read the rest of this entry »

 

Posted by on May 22, 2017 in Amazon

Comments Off on Amazon AWS and Ch-Ch-Ch-Changes