TheSaffaGeek

My ramblings about all things technical


Leave a comment

VCAP-CID Objective 1.5 – Determine Security and Compliance Requirements for a Conceptual Design

Knowledge

Identify relevant industry security standards.

  • For security standards there are a few and for these they are normally for government,finance,military and telecommunications. There are a few standards each of these keep to and they largely overlap into the next point of compliancy. For example here in the United Kingdom there are a few cloud vendors who run community clouds where they assure they meet business impact levels and each of these levels determines the requirements for protection. A really good article straight from the UK government is here where information security is defined based on a number of criteria. A lot of government and military companies keep data in IL2 or IL3 and vSphere 4.0 and 4.1 were actually verified to meet IL3 compliancy. Recently they are still EAL4+ and FISMA certified.
  • For your conceptual design you will need to know what abstraction is required based on whatever the relevant security standard is and most likely have to sit down with the compliancy officer and determine what they feel is required for them to approve your solution meets their security standards.

Identify relevant industry compliance standards.

  • There are a number of compliance standards that are used  from various companies who process credit cards, hospitals who keep peoples personal data to companies who have to keep to specific regulations. There are a number of these and some are only applicable in specific countries but the ones I think are the most likely to be seen in a vCloud environment are:
    • Sarbanes-Oxley
    • Health Insurance Portability and Accountability Act (HIPAA)
    • Federal Financial Institutions Examination Council (FFIEC)
    • Payment Card Industry Data Security Standard (PCI DSS)
    • International Organization for Standardization (ISO) 17799
    • National Institute of Standards and Technology (NIST)
    • International Organization for Standardization (ISO) 27001
  • A really great example of this is the Architecture Design Guide for Payment Card Industry (PCI) document by VMware. This is PERFECT in showing the kinds of things you need to keep in mind and the varying mechanisms to achieve this. The document goes much deeper than conceptual but seeing as you will have to go from conceptual to logical and then to physical it makes sense to learn it now.
  • Another great document by VMware that is mentioned on the blueprint is the Infrastructure Security: Getting to the Bottom of Compliance in the Cloud document.

Explain vCloud security capabilities.

  • This along with the two points above are covered  perfectly in appendix B of the vCAT Architecting a VMware vCloud pdf. For the conceptual design this is more around isolation and multi-tenancy but the whole of appendix B gives a great break down of the kinds of security that is possible within vCloud and the mechanisms and products that can be used to achieve this.

Identify the auditing capabilities of vCloud technologies.

  • This is the vast mechanisms such as logging,log retention, syslog shipping and firewall logging via vCNS to name but a few that are possible via vCloud. Appendix B of the vCAT covers these off really well and the retention policies mentioned in the Architecture Design Guide for Payment Card Industry (PCI) document cover off the kinds of auditing you may be requested to do. For conceptual this isn’t very applicable and I’m amazed it is actually mentioned here.

Skills and Abilities

Based on customer requirements, determine auditing requirements for a vCloud conceptual design.

  • These would be determined in design workshops and discussions with different subject matter experts within the customer around what they are looking to audit/log and if there are any compliancy standards they needs to meet. If they are a service provider who provides public cloud to the general public then there is a very good chance they have to meet PCI compliancy for example and so retain logs and do auditing to ensure security and allow retrospective inspection. For a conceptual design auditing isn’t something you would put in your “napkin” design but knowing if you need additional auditing does mean you have to design to be prepared for this in the logical and physical designs.

Based on customer requirements, determine security requirements for a vCloud conceptual design.

  • A large portion of this is the same as above as with security requirements around compliancy includes auditing also.  For example if it is a private cloud that is being designed but it is for a hospital, then HIPAA standards need to be met and so certain security measures need to be applied. For conceptual this is mainly around separation, defence in depth and usage of two factor authentication to name a few off my head. How different zones within the cloud offering are separated and secured also need to be planned for and conceptually designed.

Based on customer requirements and vShield Edge security capabilities, determine the impact to a vCloud conceptual design.

  • For this you need to know what vShield Edge is capable of doing and in what use cases each of these would be used. A perfect document that describes this is the vShield Edge Design Guide Whitepaper. The actual impact to a conceptual design is mainly that vShield Edge allows isolated virtual datacentre’s hosted on a common physical infrastructure instead of needing siloed physical infrastructures. The separation via the vShield Edge firewall is in most cases more than sufficient but knowing where physical separation is required (PCI for example) is also very important.
  • vShield Edge also provides IPSec VPN capabilities which are very important for the security of your cloud infrastructure. Knowing that the vShield edge can provide this along with NAT,Load balancing and most importantly for this section firewall capabilities via one device means you don’t need multiple devices like in a traditional multitenant design.

Explain the logging capabilities of the various VMware products.

If you feel I have covered something incorrectly please let me know as I’m learning like everyone else and I certainly don’t claim to be perfect (near it but not perfect Winking smile ). Also the vBrownbag covered the whole of objective 1 here.

Gregg


Leave a comment

VCAP-CID Objective 2.1 – Determine Catalog Requirements for a Logical Design

Knowledge

Identify what can be included in a published catalog.

  • A published catalog is one that is created in the administrative organisation with all the required components and  vApp templates published to all other organisations in the vCloud environment. Good design practice to only allow the administrative organisation to publish its catalog and deny this ability for all the standard organisations.
  • The components that can be included in a published catalog are:
    • Standardised gold master vApp that can consist of a single virtual machine all the way to 3 tiered offerings like a web service with a web front end, an application server and a database server. These are verified templates that meet regulatory and security standards which ensures consistency across the environment and provides the consumers with verified offerings that can be deployed with ease.Guest customisation changes the identity of the vApp and can be used for post-deployment steps, such as the joining of vApps to domains.
    • vApp Templates which can cannot be deployed but can be deployed (instantiated), creating a vApp that can be deployed and powered on.
    • Media like ISO files for software and applications. These are also verified and commonly customised to ensure standardisation and to provide specific capabilities.

Identify what can be included in a private catalog.

  • A private catalog can have the exact same components but it is controlled by the user/group assigned the Catalog Author vCloud role. This catalog is limited to a specific organisation and good design practice states you should limit the ability to publish this catalog thereby making it a private catalog.
  • This can still contain standardised vApp’s and ISO’s and if you are a service provider this is where the cloud consumer will place their standardised vApp’s and ISO’s so that the organisation can use them but other organisations cannot.

Identify permission controls for catalogs.

  • There are three Predefined roles in vCloud that have varying permissions and rights to make changes and create components in catalogs. A breakdown of the predefined roles and their rights are contained in this documentation centre link

Explain the functionality of a catalog.

    • This should be straight forward as this is VCP-IaaS level and I think all the previous sections define it pretty well also. But just in case i have pasted the VMware definition below:
      • VMware vCloud Director uses the concept of a catalog for storing content. Organizations have their own catalog that they can populate and and share the contents with other organizations and users.

All entities in the catalog are stored in a content repository system. The content repository, a component in the vCloud Director storage subsystem, provides an abstraction to the underlying datastores while offering features to store, search, retrieve, and remove both structured and unstructured data.

Skills and Abilities

Based on application requirements, determine appropriate vApp configuration.

  • As I mentioned for the published catalog and private catalog sections above you can configure vApp’s with multiple tiers to allow the organisations to provision these offerings in their vCloud organisation and maintain standardisation. If a customer asks for a web service offerings then you can provide them with a three tiered vApp with a web front end, an application server and a database server. There may even be a requirement for availability of the offering so you will created multiple front end, application servers and a clustered database back end.
  • Using the web service example this will also require different networking to ensure the security of the offering which will mean different servers connecting to different networks and vCNS endpoint devices being configured as part of the vApp. I am planning on creating a few of these as practice in visio so that I can visualise them and make sure I know what they should look like in case a visio style question comes up or i just need a good mental picture to make decisions for questions.

Determine appropriate storage configuration for a given vApp.

  • This follows closely to what I covered above but now you need to think of the storage offering the vApp components are going to be kept on and what storage you are going to allow the vApp to be deployed onto. Using my trusty web service example you wouldn’t want the database sitting on low end storage as this would severely impact the service.
  • This is what I think they are asking for so if you think i’m wrong then please do tell me as I’m also learning and sometimes it’s difficult to gleam what they mean as this could also relate to fast provisioning.

Given customer requirements, determine appropriate catalog design.

  • I think for this if you have created catalogs countless times and know what you can put in there and that they can be published to specific organisations from other organisations or published to all from the administrative organisation then designing it should be simple enough.

Determine the impact of given security requirements, on a catalog structure.

  • This may be numerous things but there are times when an organisation wants only certain vApp’s and ISO’s in a catalog to be available to certain people and so you can configure the catalog to have certain portions only available to certain people.
  • There are also many organisations who have very customised and important virtual machines which they have converted to vApp templates and they want these secured so that only a certain person can access them and only that person can provision them for people.

If you think I have totally missed something then please do tell me as I’m only learning and I’m certainly not perfect.

Gregg


Leave a comment

VCAP-CID Objective 1.3 – Determine Capacity Requirements for a Conceptual Design

 

Skills and Abilities

Determine how storage and network topologies affect capacity requirements for a vCloud conceptual design.

  • This in my opinion can be taken in a few ways so I welcome any feedback on if you think I have looked at this the wrong way but the way I am looking at this is the way it is all connected to differing portions of the environment obviously impacts the speeds that can be achieved and thereby the capacity of virtual machines that can be run over a certain link for networking or even over a specific NIC/Switch/HBA/Cable. So to use the networking topology as the example:
    • Network: For networking there are a number of constraints that can affect the capacity requirements for a vCloud conceptual design. To give an example I will use one that I am seeing a lot recently which is a 10Gb NIC connection from each blade/rack server in your proposed vCloud environment. For this 10Gb link you need to carve it up (either via native hardware methods or via NIOC) for all the varying types of traffic that needs to go over the link for your vCloud environment. Now if your network topology is inside an existing datacentre then you may have to connect to an existing top of rack switch which may only have the capability to provide two 10Gb connections per switch and the price for 2 new 10Gb switches (to obviously provide resiliency) won’t fit in the budget. So for the conceptual design if you need 10Gb of network traffic leaving each host to supply network requirements of the virtual machines on the host then you will need to either:
      • Change the hosts to have a sufficient number of NICs to provide this or
      • Go down an infiniband route or
      • Explain to the customer due to the constraint of having to use existing switches it is not possible to provide the required network bandwidth for each host so they will need to buy more hosts so that the virtual machines on each host get their required bandwidth.
    • This way of thinking applies exactly the same for storage and if you are running converged networking then it can be almost exactly the same.

Describe VMware vCloud Director and VMware vSphere functionality and limitations related to capacity.

  • This in my opinion is all about vSphere and vCloud maximums which is always something you have to keep in mind when doing a conceptual design as for example the linked clone chain length limit is 30 and then after this a new shadow copy is created which then utilises more space on a new datastore and affects storage capacity. Actually knowing these functionality metrics and limitations is something I have been learning from going through the vCAT documentation. I did think about listing all of them but there are so many and what they could impact is so vast I think this is something where you need to know the limitations and functional capabilities of the two products and then think of it in the holistic manner of the whole design and how it impacts the conceptual design. Now remember the conceptual design is the “napkin” style design and so product names do not feature but you need to understand at a certain level what is and is not possible from the products.
  • As I mentioned in my previous point if you feel I am totally wrong then please do tell me in a friendly manner as I am certainly not perfect and am doing this to learn.

Given current and future customer capacity requirements, determine impact to the conceptual design.

  • During your design workshops you will work out and record what the customer’s current and future capacity requirements are and then will need to plan for that 20% year on year growth they require to give an example. So if their current requirements can be met with eight hosts to be very simplistic then you will need to ensure you have sufficient capacity not just in compute but also storage, networking, cooling, power and switching.

Given a customer datacenter topology, determine impact to the conceptual design.

  • For this I think I covered it in the first section but you now need to look at the whole topology with storage, networking, power, rack space, distances between components, distances between datacentres, cooling and weight limitations to name a few off my head that may impact your conceptual design. So say for cooling you can only put in a certain amount of hardware into each rack which then impacts your conceptual design of how many blades can fit into the datacentre/server room.

Given cloud capacity needs, constraints, and future growth potential, create an appropriate high-level topology.

  • This is the point where you have done your design workshop and are now looking to do a high-level design of the environment that meets all the customers’ needs and shows to them you understand what they require and have planned for the future. The below diagram is a very basic version of what you would provide based on networking to show you understand their needs :

    image


    Leave a comment

    VMworld US Day 1

    Now that the dust has started to settle on day 1 of VMworld US 2013 let’s have a look at what was announced, what seems to have been missed from the keynote that I felt are a few major improvements/fixes in vSphere/vCloud 5.5 and all the other important releases coming from the conference. *disclaimer* I am not at VMworld US so this is my take from across the Atlantic.

    The day started with the keynote form VMware CEO Pat Gelsinger. I’m not going to detail a minute by minute commentary on it as I think the blog postings I will be mentioning below cover everything you need to know and you can watch the keynote for yourself clip_image001 Also Scott Lowe has done a brilliant live blogging of the keynote here.

    I was fortunate enough to again be invited to an early access blogger program by VMware almost two months ago around all the announcements that were due to come out at VMworld. It has been really hard as a consultant to not mention it to customers especially the changes/rebuild of SSO. I did have a few blog postings in the works on the announcements but felt I could not do them justice so left it for better people and I was right in doing this I think as Chris Wahl has done an amazing nine part series on all the announcements which I think are a great overview of all the new features and changes and would have destroyed mine:

    As I mentioned one of the big changes in vSphere 5.5 that I felt should have been mentioned in the keynote and would have probably got a loud cheer from the crowd was the massive changes to SSO. The SSO service has been almost totally rebuilt and when I was on the early access blogger webinars everyone breathed a sigh of relief as the SSO in vSphere 5.1 was not a simple thing to install especially seeing as it was recommended to break up all the individual components. This has now changed and it is recommended that they are all kept on one machine. Below is the recommended layout now for the vCenter Server design.

    image

    Kendrick Coleman also gave a great overview of it from 30k feet here . For me the real improvement is the simple steps to setup SSO now which are:

    1. Accept License agreement (EULA)

    2. Prerequisite check summary

    3. Edit default port number 7444 (if necessary)

    4. Select Deployment placement

    5. Provide Administrator@vSphere.local password

    6. Provide a site name or select a previous site name

    7. Edit destination directory (if necessary)

    8. Summary

    9. Installation Complete

    I’m one of the hosts of the EMEA vBrownbag and all of the US Brownbag and a few of the APAC vBrownbag team are out at VMworld US doing the very popular Tech Talks. The Tech Talks are 10 to 15 minute presentations by members of the VMware community on topics of their choice, almost like a mini #vBrownBag. They are being streamed live by the vBrownbag guys and are being recorded for people like me to watch them when you can. The schedule for the Tech Talks can be found here. Make sure you watch the stream live and give the guys the support they deserve as all of these presentations are from the community.

    Talking about the vBrownbag crew one of the main culprits Nick Marshall has released alongside Scott Lowe, Forbes Guthrie, Matt Liebowitz and Josh Atwell (another vBrownbag host) the next instalment of the Mastering VMware vSphere book for vSphere 5.5. A massive congratulations to Nick on this project and for being asked and doing such an awesome job whilst still helping out on the vBrownbag. Nick has detailed the announcement on here blog here.

    One of the biggest announcements from the keynote was the release of VMware NSX, as Forbes Guthrie said I’m waiting for NSXi clip_image003 but until that day the below are some of the highlights of the new feature and I would highly encourage you to read Chris Wahl’s detailing of the feature from above.

    NSX Highlights:

    • VMware NSX is a next-generation network virtualization solution
    • Provide the key functions of network virtualization: decouple, reproduce, and automate
    • NSX will support any hypervisor, any CMP, any network hardware
      • vSphere, KVM, and Xen are currently supported
      • CMPs currently supported are OpenStack, CloudStack, and vCAC/VCD
    • NSX optimized for vSphere leverages the platform’s enhanced functionality

    High-level View of VMware NSX Architecture:

    clip_image004

    VMware NSX Controllers:

    • Designed with a distributed, scale-out architecture.
      • Minimum of 3 controllers for an NSX controller cluster.
      • NSX optimized for vSphere scales to 5 controllers.
    • NSX controllers run a common code base in different form factors.
      • Controllers run as infrastructure/service VMs in NSX optimized for vSphere.
      • Controllers run as physical appliances in multi-hypervisor environments.
    • Controller functions optimized in each delivery option.

    VMware NSX Virtual Switches:

    • NSX uses programmable virtual switches on the hypervisors
    • In NSX optimized for vSphere, NSX leverages:
      • the vSphere Distributed Switch (VDS)
      • the UW (Userworld) Agent for communications with NSX controllers
    • In multi-hypervisor environments, NSX uses:
      • Open vSwitch for KVM and Xen
      • NSX vSwitch (an in-kernel virtual switch) for ESXi

    VMware NSX Gateways:

    • The gateways are the “on ramp/off ramp” into or out of logical networks
    • Both L2 (bridging) and L3 (routing) gateway functionality available
    • Basic functionality the same regardless of delivery option
      • NSX optimized for vSphere leverages NSX Edge (derived from vCNS Edge)
      • In multi-hypervisor environments, gateways are physical appliances leveraging a scale-out architecture

    VMware have also posted the What’s New pdf for vSphere 5.5 which gives you a very good overview of all the new features and services here

    VMware have released a new VMware certification called the VMware Certified Associate for those people looking to get into the IT industry. Unlike the VCP there is no required training but there are free eLearning courses available for people to skill up for the exam. These do look like a good starter for people thinking of learning the basics of virtualization and in my opinion would be great for high school students thinking of going into IT and virtualization after high school.

    Well that is what caught my attention from day 1 of VMworld US. I’m looking forward to more information coming out and to getting my hands on all the new vSphere 5.5 tools.

    Gregg


    Leave a comment

    VMware vCloud Hybrid Service Beta Impressions

    Almost two months ago I was selected as one of the very fortunate few VMware vExperts to participate in the VMware vCloud Hybrid Service beta. If you’ve not heard of vCloud Hybrid Service (vCHS) or not entirely sure what it is, then I’d recommend watching these videos before reading on:

    “An Introduction to VMware vCloud Hybrid Service”

    “A Look Inside vCloud Hybrid Service”

    We were all provided a portion (or slice?) of a virtual datacenter in a multi-tenant cloud. As a bonus I got to share mine with two VCDX’s Chris McCain and Matt Vandenbeld. clip_image001 It’s always super exciting for a nerd like me to be able to do some of the cutting edge stuff with some of the top names in the industry.

    Impressions:

    The custom portal for vCHS looks extremely sleek and very intuitive for anyone using it for the first time or who may not have even used the vCloud GUI extensively. The front page presents you with a good overview of all your resources bundled into a Resource Snapshot section. You can easily review how much of your total resource is utilized and if you have more than one virtual datacenter you’ll observe the same utilization report per instance.

    clip_image002

    The virtual datacenter that I shared among three other people was number 25-202. If you click on the virtual datacenter in the Virtual Datacenters section above then it will take you through to your virtual datacenter page where you can check on your Usage & Allocation, Virtual Machines, Gateways, Networks and the Users who have access to this Virtual Datacenter.

    Usage & Allocation

    clip_image003

    Virtual Machines

    clip_image004

    Gateways

    clip_image005

    Networks

    clip_image006

    I created a number of virtual machines for a test I am planning to blog about around using vCenter Configuration Manager in vCHS. One of these virtual machines is an MS SQL server which you can see below. You can access your virtual machines from either the virtual machines tab at the top of the page or via the Virtual Datacenter tab shown previously. If you are a user with permissions to access the vCHS vCloud Director portal (VPC Administrator) you’re able to manage VMs that you have permissions to using vCloud Director by simply clicking Manage VM in vCloud Director (shown below).

    clip_image007

    Personally I prefer working in the vCloud Director portal as this is something I’m very familiar with but the vCHS portal is more than adequate to undertake administration, it’s not too dissimilar to the standard vCloud one with an organization administrator view.

    clip_image008

    The flagship feature of the vCHS hybrid cloud connectivity is the ability to migrate workloads using VMware’s vCloud Connector using the new Data Center Extension in vCC 2.5 between your private vCloud instance and vCHS. I’m still testing this functionality but what I’ve seen so far the stretch deploy feature is looking like an amazing use case for people looking to migrate high workload resources to vCHS Chris Colotti covered a real world case and how he utilised stretch deploy here and here.

    My initial impression of this service is really good and I’m looking forward to getting even more stuck in with real world customers and requirements. I’ll hopefully have my VCM blog posting out very soon although with all the goodness coming out of VMworld US it’s going to be hard. clip_image009

    Gregg


    Leave a comment

    VCAP-CID Objective 1.2 – Identify and Categorize Business Requirements

    Knowledge

     Identify discovery questions for a conceptual design (number of users, number of VMs, capacity, etc.)

    • These questions are ones you are going to ask during the design workshop for the design/project. For the workshop you need to make sure you have the applicable project participants/stakeholders who can join the workshops (depends if you want one big one where people come and go at certain points or multiple ones where you speak to each business unit/ team). For the stakeholder meetings/design workshops I personally like to try bring in the following people, this does vary depending on the project and what has been chosen but 9/10 times these are the people you want to speak to:
        • Virtualisation administrators (if applicable. If not already present then future administrators of the solution)
        • Server Hardware Administrators
        • Backup Administrators
        • Storage Administrators
        • Desktop/OS Administrators
        • Network Administrators
        • Application Administrators (these are very important as their applications may have very specific requirements)
        • Security Officer
        • Project Sponsors
        • End users/ Help desk personnel (this I find is helpful to find out what are the current support desk tickets/problems the company are facing and if these will impact the project in any way. Also these discussions are easy to have in the hallway/over a coffee but have alerted me to unknown risks that would have severely impacted the design and delivery)

    vcap

    Identify the effect of product architecture, capabilities, and constraints on a conceptual design.

    • I may be looking at this the wrong way but I think this is actually around how specific products architecture, capabilities and constraints isn’t applicable in a conceptual design as for a conceptual design you are only creating a “napkin” design diagram of how the whole environment is going to be delivered.

    Skills and Abilities

    Relate business and technical requirements to a conceptual design.

    • From one of the VMware service delivery kits available to VMware partners they give a great breakdown of what requirements are and what business and technical requirements are:
      • Requirement – Documented statement that depicts the requisite attributes, characteristics, or qualities of the system
      • Business requirements – Describes what must be achieved for the system to provide value
        • System must provide self-service capability
        • System must provide x% availability
        • System must provide optimal scalability and elasticity
      • Technical requirements – Describes the properties of a system which allow it to fulfill the business requirements
        • System requires a Web portal where users can log in securely and deploy virtual machines based on defined policies
        • System must have fully redundant components throughout entire stack (host, network, storage)
        • System leverages virtualization technology and associated features
    • As mentioned these requirements will be gleamed from the Design Workshops/Stakeholder meetings and then put into the conceptual design. This is where you would work out if the customer requires a private, hybrid, public or even community cloud deployment. For example if the customer requires certain data to remain in a country for regulatory reasons then in the conceptual design you know compute resources, networking and connectivity between that country and the primary site need to be available. The speeds, number of hosts, make of hosts and amount of memory and vCPU are not in the conceptual design as this is the “napkin” design just covering the concept of how it will all work out and may actually change once you get to the logical and physical designs.
    Number Requirement
    R001 Virtualise the existing 6000 UK servers as virtual machines, with no degradation in performance when compared to current physical workloads
    R002 To provide an infrastructure that can provide 99.7% availability or better
    R003 The overall anticipated cost of ownership should be reduced after deployment
    R004 Users to experience as close to zero performance impact when migrating from the physical infrastructure to the virtual infrastructure
    R005 Design must maintain simplicity where possible to allow existing operations teams to manage the new environments
    R006 Granular access control rights must be implemented throughout the infrastructure to ensure the highest levels of security
    R007 Design should be resilient and provide the highest levels of availability where possible whilst keeping costs to a minimum
    R008 The design must incorporate DR and BC practices to ensure no loss of data is achieved
    R009 Management components must secured with the highest level of security
    R010 Design must take into account VMware best practices for all components in the design as well as vendor best practices where applicable
    • For Technical Requirements a great way of doing it is to break them down into sections like:
      • Virtual Datacentre Requirements – eg: Allocation model Virtual Datacenters reserves 75% of CPU and memory
      • Availability Requirements – eg: VMware vCloud Director (clustering, load balancing)
      • Network Requirements – eg: Organizations have the ability to provision vApp networks
      • Storage Requirements – eg: Different tiers of storage resources must be available to the customer (Tier 1 = Gold, Tier 2 = Silver, Tier 3 = Bronze)
      • Catalogue Requirements – eg: Catalog items are stored on a dedicated virtual datacenter and dedicated storage
      • SLA Requirements – eg: SLA Requirement #1 – Networking 100%
      • Security Requirements – eg: Organizations are isolated from each other
      • Management Requirements – eg: Only technical staff uses remote console access
      • Metering Requirements – eg: Metering solution must monitor vApp power states for PAYG
      • Compliance Requirements- eg: Solution must comply with PCI standards
      • Tenant Requirements – eg: Customer requires the ability to fence off vApp deployments
    • To make sure you are doing the design in a VCDX-like manner which should push you to do it at a very high level, don’t forget to refine the customer-specific technical requirements and validate that they are specific, measurable, accurate, realistic, and testable (SMART).

    Gather customer inventory data.

    • This is what is going to be on the new vCloud system whether it is existing workloads or new workloads. A good way of getting this if the customer allows it is to run a VMware Capacity Planner collection on the existing workloads that are going to be migrated in so you know sizes, I/O and current state analysis values. The Capacity Planner can only be run by VMware partners so if this isn’t possible for you then manual collection and recording is going to be required. Another method is via the VMware vCloud Planner which is another tool only available to VMware Partners so maybe getting a VMware partner in to do this for you prior to the project running would be a good idea
    • Also knowing what the customer already has can help you understand possible future constraints for example that all their current servers are IBM and so this is likely to be the server platform for this design.
    • There may also be a requirement to use existing legacy physical kit already present in the datacentre which needs to be recorded and fully understood so that the risks and constraints of using this infrastructure are fully understood. For example if you are using legacy network switches which can’t do stretched VLANs this will impact your design substantially if you have two sites and a requirement for the Management cluster to be failed over/migrated in the event of a disaster.

    Determine customer business goals.

    • This is plainly what is the customer looking to gain from the deployment of this solution? At the end of the project what do they hope to achieve? These are sometimes not as clear as you may hope as people have different ideas of what they want the solution to achieve so as the architect you will need to take all these business requirements, set expectations if they are unrealistic due to varying reasons like cost or pre-selected hardware and then define them and get sign off from the customer that they agree to these before any additional work is done. This is very important as if these aren’t defined and agreed to by the customer then scope creep can happen which could cause the project to fail.

    Identify requirements, constraints, risks, and assumptions.

    • I’m not going to go into great depth here as I think the definitions of each will give you a good idea of what each is. During the design workshops/stakeholder meetings these are worked out, recorded and agreed to by the customer. Always remember that for any design you need to collect all of these and then look at it in a holistic manner and understand the impacts of each decision.
      • Requirements – Documented statement that depicts the requisite attributes, characteristics, or qualities of the system. See above portions around Business and Technical requirements plus the examples.
      • Constraints – Requirements that restrict the amount of freedom in developing the design
        • Hardware which already exists and must be used (for example,host or storage array)
        • Physical limitations (distance between sites, datacenter space)
        • Cost $$$
      • Risks – Potential issues that may negatively impact the reliability of the design
        • Lack of redundancy for specific hardware component
        • Support staff has not had any training
      • Assumptions – Suppositions made during the design process regarding the expected usage and implementation of a system
        • Provides a sounding board for design decisions which must be validated
        • Hardware required is installed before vCloud implementation
        • Network bandwidth is not a limiting factor for external end users
        • Appropriate training is provided to existing technical staff
      • For assumptions and risks I like to get these highlighted to the customer right away as you normally don’t want any assumptions if possible and for the assumptions you record in your design you want these to be realistically clarified already so that the assumptions are only there to ensure that if what they promised would be there isn’t you can refer them to the assumptions they signed off.

    Given customer requirements and product capabilities, determine the impact to a conceptual design.

    • This I think is covered above in places but is also something you can only really learn from actually doing a design and understanding how requirements shape a design and what impacts each of them have. On a conceptual design it isn’t as much of an impact as in a logical and physical design but limitations like keeping workloads in specific geographies and the capability of vCloud stretched clusters between the two locations for example are something that will impact the conceptual design. I would also read the Service definitions listed below in the recommended tools from the blueprint and the implementation examples from the vCAT.

    Tools

    If you feel I have missed something or am wrong on something then please do comment as I don’t proclaim to be the best and am always learning and welcome constructive criticism and feedback

    Gregg


    7 Comments

    VCP5-IaaS Exam Experience

    This morning I sat the VCP5-IaaS exam and am very pleased to say I passed it and with a pretty good score too! I decided to do the exam as I have been busy with a number of vCloud engagements and had a spare few days to prepare and get it done whilst the ability to gain the VCP5-Cloud if you have the VCP5-DCV was still available.

     

    Resources

    My preparations for the exam were fairly short as I only had two weeks of solid study before sitting the exam, that’s not to say I didn’t have a solid understanding of vCloud prior and I have been working with vCloud since the 1.0 days and have done a number of vCloud design and deployment engagements. The resources I used for the exam are as follows:

    - The Trainsignal VMware vCloud Director Essentials videos by David Davis. I used these videos quite a while ago when they first came out which helped me gain a very good base knowledge and used a few of the videos again as the VCP5-IaaS exam is based on vCloud 1.5 and I have been using vCloud 5.1 most recently so needed to try remember/block out a few things.

    - I also used the Trainsignal VMware vCloud Director Organizations set of training videos done by Jake Robinson. These are also based on vCloud 1.5 but give a great view of how an organisation administrator would do tasks.

    - I used a third set of Trainsignal videos for my preparations were the VMware vCloud Director 5.1 Essentials set of videos by VCDX #104 Chris Wahl. These are for vCloud 5.1 whereas the test is vCloud 1.5 but the videos were brilliant and Chris explains vCloud networking amazingly which is the hardest part to get your head around in vCloud.

    - For the above three sets of videos I followed along whilst doing it all in my lab and would HIGHLY recommend doing it this way as I don’t think you can understand vCloud without actually doing it yourself.

    - Paul McSharry created three practice test for the VCP5-Iaas which can be done here VCP5-IAAS Practice Test 1, Test 2 and Test 3. These were great as a last minute practice test late yesterday to make sure I wasn’t missing anything.

    - VMware vCenter Chargeback Manager is a big portion of the exam and I used the VMware vCenter Chargeback Fundamentals course to get my knowledge up to speed on the product. This course is really good and massively important as if you haven’t used Chargeback before you will be lacking in the exam.

    - We did a few of the VCP5-IaaS objectives on the EMEA vBrownbag and I watched these as the way the guys cover the components are extremely helpful. They can be downloaded from iTunes here

    - Lastly I used the vCloud Architecture Toolkit (vCAT) pdf’s which I read through and made sure I understood it all. This was probably a bit of overkill as the VCP5-IaaS exam is the entry level exam whereas the vCAT is geared more towards the CIA and CID but it gave me a great holistic view of how everything worked so if you have the time I would recommend reading them or at some of them.

     

    The Exam

    Due to my last two exams being the VCAP5-DCA and VCAP5-DCD I was used to having to burn through the exam/questions so having to go through the 85 questions was quite refreshing and the exhibits and questions were also fairly straight forward. I finished quicker than I thought I would which I put down to being used to the VCAP exams pace and felt the questions were easier than the ones for example were in the VCP5 (DCV).

     

    Conclusion

    Good luck to anyone looking to do the exam. I felt it was really fair although I may still be in a VCAP mind-set and is much shorter than the VCP5-Cloud so if you have your VCP5 already then I would say go for this whilst the “upgrade” path is still available. For me I think I am done for quite a while now and will be focusing on slowly building my VCDX design for a future submission.

     

    Gregg

    Follow

    Get every new post delivered to your Inbox.

    Join 61 other followers