Part 8: My vCloud Journey Journal – vShield Edge Fundamentals Training
Today I worked throught the vShield Edge Fundmentals Essentials training which is freely available on the VMware MyLearn portal. It’s part of my approach to try and soak up as much knowledge about the components of the vCloud Suite as part of my preparation to take the new VCP-Cloud Exam. I’ve booked my slot on the VMware vCloud: Deploy and Manage the VMware Cloud, and I’ve arrange VMware Education to send the student manuals to my home – so I can work from them offline before attending the instructor-led course – as a former VMware Certified Instructor (VCI) I’m used to picking up new courseware and preping it to teach – so it will be interesting to be in “student mode” for once. Until that arrives I’m working through the “essentials” training – and this afternoon I’m going to work through David Davis/TrainSignal’s “VMware vCloud Director” Essentials training as well. At some stage I want to work my way through the vCAT materials as well. So there’s a lot of content to consumme!
I’ve already worked through the vCloud Director 1.5 Fundamentals course a couple of weeks ago – so decided to focus my attention on vShield Fundamentals and Edge Fundmentals. As vShield is important component in the vCloud Networking and Security area. Plus I’m already pretty familiar with Endpoint from my work with it for the eucbook.com – App and Data Security were weak spots for me so I also focused on that training as well.
The main thing I got from the course wasn’t really technical. It was more thoughts about how I will approach vShield from vCloud Director (vCD) perspective. The course is very much focused on vShield Edge in isolation from vCD. After the technology is available seperately from vCD, and could be used with just vSphere. Of course, my focus is very different one. Comensurate with my new role here at VMware, my focus is much more on how the technologies come together to build the cloud and build the software-definied datacenter. I began to realise that using vShield Endpoint inconjunction with vCloud Director is intended to simplify the management. So you carry out a task in vCD, which then sends an instruction of to vShield Manager to do something you need. I think it will be very interesting to expose this automation a little. That’s something I’ve done greatly with SRM and View. So as you carry out management tasks in SRM, it changes and modifies the vSphere environment accordingly. Much of my work to date has been explaining what goes on under the covers when you click a button in SRM, or select a menu option. With that in mind a good knowledge of vShield management from a manual perspective might help me understand the processes that vCD is orchestrating with it.
There was a couple of nuggets of information that came out from the course. Firstly, vShield Edge does load-balancing – but for very specific application. It load-balances web-server front-end on port 80 only – in the 5.0 release. I needed to verify if this is still the case with the 5.1 release – and it sounds like HTTPS/443 and some other TCP ports are now supported. Paradoxically, this limited support did reassure me because I started working on the load-balancing issue long before I vShield 5.1 was release. Back when I was writing the VMware View 5.1 book with Barry Coombs – I ended up using F5 BIGIP as an example of load-balancer for PCoIP traffic to the View Security Server. Afterwards I felt I’d let the side down by not using vShield Edge. Clearly, that wasn’t a mistake at the time. I’m assuming the limited protocol support is intentional. That vShield is there to load-balance the most popular apps that by an large have a web-fronted for the first point of access – and from that the backend application distributes the load. I’m also wondering if the next-generation of applications will be scaled-out for availability and performance anyway. vShield End-point supports two different algorithms for the load-balancing – IP-Hash and Round-Robin – and can detect if a node is down or unavailable and pass the client to the next available node. As part of my work with vApps I want to build out a classical 3-teir application (web, app, db) model and play with being able to deploy it into any Organization vDC. I haven’t really decided what that app will be yet! But I’m wondering if our very own Zimbra system might be a good candidate – to offer internal email to each of my Organizations in Corp.com.
The other interesting aspect of the course was trip down memory-lane. vShield Edge has static routing capabilities (including site-to-site VPN and NAT) – and course gave a couple of example of configuring routing between two vApp Networks, within an Organization and between two organizations within the same vCD cell. It took me back to the mid-90’s when I used to teach a 5-day Microsoft course on TCP-IP (yes, I know 5-days just on a protocol and its supporting services was a bit of a kill for both student & instructor!) which served as invaluable backbone to everything I’ve done since. You have to remember that back then TCP-IP wasn’t the dominant protocol, instead vendor specific protocols like Novell’s IPX/SPX were the order of the day. Anyway, I was struck about how functional vShield is, so it occured to me I should really try in my lab to use every feature, even if strictly speaking it may not apply or be the “best way” of fixing the problem. That way I can up my exposure to all the possibilities. That’s the way I’ve learn “beyond the manual” stuff in the past, and found out strengths and weakness as well. If that approach worked in the past, I should carry on with it.
I think the course does a very good job of clearly distinguishing the role of vShield Edge (which has a firewall) and vShield App (which is vSphere aware firewall). So given it’s name “Edge” is very much about outbound and inbound traffic flow on the perimeter of your network – as well as that its responsible for creating the secure multi-tenancy between Organizations that is such central plank of any cloud solution. In contrast vShield App is more about securing communications within a Virtual DataCenter. There was some good examples. You could use vShield Edge to secure access to your virtual DMZ, but App would protect Web01 from Web02 within the DMZ should one of them become compromised. Similiarly, you might have security zones inside your Virtual Datacenter that need a high-level of security – vShield App could protect those VMs such as those imposed by PCI compliance.
For me the 1st module in this course was the most useful. It gave good usage cases and set forth clear what vShield was capable of doing. The 2nd module was little bit less useful. It focused on practical day-to-day configuration and management of vShield Edge. Right-now that isn’t really very useful – because my interest is in vShield as used by vCD. BUT, I think once I’m in the thick of things with vCD – I will be coming back to it to review the common admin tasks – for two purposes. Firstly, to see the changes created by vCD speaking to vShield – but also for any management tasks that have to be done at the vShield itself. I’d get some useful info from the 2nd module – but just tidbits for the moment. For example I rather like the way vShield Endpoint’s DHCP server leases static IP address based on the hostname/VMname values – rather than MAC address. That’s seems infinitely easy to manage, so long as you can stop folks renaming VMs and renaming the guest OS hostname.
My only criticism was of course is the “lab” component. Unlike the vCloud Director Essentials training which just had striagh videos as demos. These require you to click at objects on the screen to progress the animation. I found that a bit tiresome, and I don’t believe the make the session any more “interactive”. I guess I have the luxury of a lab environment to play in – and therefore anything less than the product live infront of me is going feel tame incomparsion.