Bahubali Shetti and Dan Illson
MMC2820BU
#VMworld #MMC2820BU
Live Demo: 3 Best Practices for Deploying, Managing and Securing AWS EC2 Apps with VMware Cloud Services
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#MMC2820BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud Strategy –
VMware Cloud Services Positioning and overview
Managing and Operating an application in AWS EC2 with VMware Cloud
Services
Access and use of VMware Cloud Services
Q&A
Agenda
VMworld 2017 Content: Not fo
r publication or distri
bution
Consistent InfrastructureVM Infrastructure • Container Infrastructure
Consistent OperationsManagement and Operations • Across Clouds
VMware Cloud Infrastructure Public Cloud IaaS
VISIBILITY OPERATIONS AUTOMATION SECURITY GOVERNANCE
Cloud Management
VMware Cloud Services
Cloud Native AppsTime to market • Innovation • Scale • Differentiation
Existing AppsReduce Costs • Security • Reliability • Control
CONTAINERSVIRTUAL MACHINES
VMware CloudRun, Manage, Connect, Secure Any App on Any Cloud to Any Device
VMware Cloud on AWSfor VMware
VMworld 2017 Content: Not fo
r publication or distri
bution
Application sprawl
Inefficient cost management
across multiple clouds
Compliance gaps due to different architectures
Inconsistent security architectures and policies
that aren’t aligned to different solutions
Lack of expertise on specific platforms and
exposure to human error
Lack of visibility into and across multiple clouds
Integration of multiple clouds has introduced new cloud silos leading to
Operations Complexity Increased Risk Exposure+
5
VMworld 2017 Content: Not fo
r publication or distri
bution
ON PREMISES DATA CENTER
APPS APPS APPS APPS
Discovery Cost Insight Network Insight NSX Cloud AppDefense Wavefront
ON PREMISES DATA CENTER
GOVERNANCE SECURITY APP VISIBILITY
VMware Cloud Services
VMware Cloud SolutionsInitial set of services to Manage, Secure, Monitor and Automate Public and Private Cloud Infrastructure, and Applications
6
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud ServicesManage, Govern and Secure Public and Private Cloud Apps
7
Discovery
Cost Insight
NSX Cloud
Network Insight
AppDefense
Wavefront
ON PREMISES DATA CENTER
Visibility into apps and resources they consume. Analyze usage and utilization across clouds.
Accounting and cost optimization for multiple clouds. Track and analyze your costs and trends.
Secure networks with micro-segmentationCreate private networks within or across clouds.
Operational visibility, control, and compliance across clouds. Optimize performance, health, and availability.
Metrics-driven monitoring and real-time analytics.
Governance for running workloads.VMworld 2017 Content: Not fo
r publication or distri
bution
8
Reduce Management Complexity and Speed
Time-to-Market
Improve Operational Efficiency and Lower OpEx
Optimize Visibility and Decision-Making About Cloud Costs and Spend
Protect Sensitive Data and Reduce Risk to the
Business
Innovate in the clouds you choose
Allow operations to focus on applications, rather than infrastructure
8
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud Strategy –
VMware Cloud Services Positioning and overview
Managing and operating an application in AWS EC2 with VMware Cloud
Services
Access and use of VMware Cloud Services
Q&A
Agenda
9
VMworld 2017 Content: Not fo
r publication or distri
bution
Typical New Age Cloud DeploymentUsing AWS, and on-prem Resources
AWS
AWS
Vsphere
DEV DEV DEV
APPS APPS APPS
DB DB DB
New age company
Launching new product
Preparing for influx of large product requests
Distributed deployment AWS and vSphere
App deployed in AWS us-West, and us-east with DB in vSphere in SF
Typical 3 tier app
Using AWS to develop and deploy for production application to take
product requests
#MMC2820BU CONFIDENTIAL 10
VMworld 2017 Content: Not fo
r publication or distri
bution
Demo Overview
#MMC2820BU CONFIDENTIAL 11
Review operations surrounding the app (Wavefront)
CIO/Finance/Infra-Cloud
Admin
Developers/DevOps
Infra/Cloud Admin
Functionality CoveredUsers
Infra/Cloud AdminIdentify deployment risks, and issues in AWS (Network Insights)
Correct deployment and prevent future issues in AWS (NSX Cloud)
Optimize deployment across all clouds (Cost Insights)VMworld 2017 Content: Not fo
r publication or distri
bution
12
Application being managed for demoTypical three tier app
NGINX (WEB) NGINX (WEB)
DJANGO (APP) DJANGO (APP) DJANGO (APP)
DBLB
(HAPROXY)
MYSQL MYSQL
Web Tier
Standard NGINX Servers acting as a pair of redundant load balancers to
App servers
App Tier
Django based app designed to serve up the web pages, and process
requests
DBLB Tier
DB Load Balancer
DB Tier
Standard MySQL Master-Slave pair
12
AWS VPC
VMworld 2017 Content: Not fo
r publication or distri
bution
Wavefront Demo
Review operations surrounding the app (Wavefront)
CIO/Finance/Infra-Cloud
Admin
Developers/DevOps
Infra/Cloud Admin
Functionality CoveredUsers
Infra/Cloud AdminIdentify deployment risks, and issues in AWS (Network Insights)
Correct deployment and prevent future issues in AWS (NSX Cloud)
Optimize deployment across all clouds (Cost Insights)
#MMC2820BU CONFIDENTIAL 13
VMworld 2017 Content: Not fo
r publication or distri
bution
Real-time metrics monitoring at scale
Gathers high-velocity telemetry from cloud applications into a real-time metrics store to
query advanced analytics, render visualizations for anomaly detection, analyze trends,
and get intelligent alerts.
"First Pane of Glass" Visibility
Overlay on top of log data, APM, traditional up/down checks, and other data silos to
provide end-to-end visibility on every level of the application stack – from compute,
network, and storage up through containers, application code, user behavior, and
business metrics.
Shared model of application/system for both developers
and ops
Enable DevOps culture and AIOps through common tooling, instant shared context
through shareable active links, self-serve instrumentation, and formalizing application
domain knowledge into custom queries/dashboards/alerts.
APP VISIBILITY
ON PREMISES
DATA CENTER
Wavefront
14
Unified Visibility for Cloud Applications
#MMC2820BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Network Insights Demo
Review operations surrounding the app (Wavefront)
CIO/Finance/Infra-Cloud
Admin
Developers/DevOps
Infra/Cloud Admin
Functionality CoveredUsers
Infra/Cloud AdminIdentify deployment risks, and issues in AWS (Network Insights)
Correct deployment and prevent future issues in AWS (NSX Cloud)
Optimize deployment across all clouds (Cost Insights)
#MMC2820BU CONFIDENTIAL 15
VMworld 2017 Content: Not fo
r publication or distri
bution
Plan and manage security across clouds
Analyze traffic flow patterns across AWS and private clouds to understand application
dependencies and to accelerate your cloud micro-segmentation strategy.
Quickly troubleshoot issues with 360-degree cloud visibility
Get comprehensive visibility into AWS and SDDC hybrid cloud infrastructure including
physical network devices, AWS VPCs, and security groups; Resolve connectivity
issues by examining the flow of data between virtual and physical network layers.
Maximize the returns on your investment in VMware NSX
Manage and troubleshoot NSX at scale to ensure health and availability of deployment
leveraging standard networking knowledge.
GOVERNANCE
ON PREMISES
DATA CENTER
Network Insight
16
Comprehensive network visibility and analytics to simplify network and security planning, troubleshooting and operations
#MMC2820BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Cloud Demo
Review operations surrounding the app (Wavefront)
CIO/Finance/Infra-Cloud
Admin
Developers/DevOps
Infra/Cloud Admin
Functionality CoveredUsers
Infra/Cloud AdminIdentify deployment risks, and issues in AWS (Network Insights)
Correct deployment and prevent future issues in AWS (NSX Cloud)
Optimize deployment across all clouds (Cost Insights)
#MMC2820BU CONFIDENTIAL 17
VMworld 2017 Content: Not fo
r publication or distri
bution
Single Pane of Glass Management and Common API
Enables cloud IT to simplify and scale operations, improve standardization and
compliance, and lower OpEx for applications running in public clouds.
Scalable Micro Segmentation Security for Applications
Micro Segmentation security allows for easy control over East-West traffic between
application instances – define and deploy policy once.
Control and Agility via Overlay Networking
Overlay Networking gives you precise control over the networking topologies, traffic
flows, IP addressing, and protocols.
SECURITY
NSX Cloud
18
Consistent networking and security for applications running in public clouds
#MMC2820BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Cost Insights Demo
Review operations surrounding the app (Wavefront)
CIO/Finance/Infra-Cloud
Admin
Developers/DevOps
Infra/Cloud Admin
Functionality CoveredUsers
Infra/Cloud AdminIdentify deployment risks, and issues in AWS (Network Insights)
Correct deployment and prevent future issues in AWS (NSX Cloud)
Optimize deployment across all clouds (Cost Insights)
#MMC2820BU CONFIDENTIAL 19
VMworld 2017 Content: Not fo
r publication or distri
bution
Avoid blind spots with comprehensive cost visibility
Get comprehensive visibility necessary to understand total costs, whether public or
private, as well as the ability to drill deeper to understand key cost drivers.
Ensure systematic cost control
Proactively monitor cost trends and compare them against planned budgets to avoid
cost overruns.
Lower costs by identifying cloud waste
Identify powered off or idle virtual machines, unused cloud storage resources and
optimize license costs to minimize wastage.
GOVERNANCE
ON PREMISES
DATA CENTER
Cost Insight
20
Analyze and compare cloud spend, find savings opportunities and communicate the cost of services to the business
#MMC2820BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Holistic view of Cloud resources
Discovery understands the intricacies of different public and private clouds
and automates the tedious process of building those cloud integration
points so that you can quickly gather the inventory data from
multiple sources.
See your cloud the way you want
Discovery offers you the flexibility to organize your cloud resources into
custom groups such as projects, teams, applications or cloud
environments to mirror your business requirements.
Continuous and automated inventory detection
Once users configure cloud accounts and inventory collectors, they can
automatically detect any changes to inventory and continuously monitor
the state of cloud workloads over time.
ON PREMISES
DATA CENTER
Discovery
21
Automated inventory detection system that brings together inventory information from public and private clouds GOVERNANCE
#MMC2820BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Reliable threat detection for data center endpoints
AppDefense understands what an application should look like – the application’s
“intended state” – and detects changes from this intended state that indicate a
potential threat.
Automated threat response
When a threat is detected, AppDefense leverages NSX and the vSphere hypervisor
to automate a number of different responses depending on the nature of the threat.
Increased isolation from attack surface
Because AppDefense is installed in the hypervisor, it is isolated from the attack
surface. Even if malware or a bad actor gain access to an endpoint, they will not be
able to compromise AppDefense itself.
SECURITY
ON PREMISES
DATA CENTER
No Demo
AppDefense
22
Data center endpoint threat detection and response
#MMC2820BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Analysis of an application issue by Developer (Wavefront)
Monitoring and analysis of MySQL metrics in correlation with app network metrics
Resolving an application issue and finding security
violations in AWS VPCs by Cloud Admin (Network Insight)
Pinpointing the issue and resolution. Additional analysis of security policies across
multiple applications in multiple AWS VPCs and across vCenter locations.
Understanding security issues/violations by developer
Locking down an application in AWS with appropriate
security policy by Cloud Admin (NSX Cloud)
Develop and apply a policy for all tiers in application against development
deployment.
Reviewing and understanding developers spend on AWS
by VP of Cloud Engineering (Cost Insight/Discovery)
Analyze resources used, and cost of development
Summary – What was demonstrated in VMware Cloud Services?Pinpoint issue, resolution, and improve security deployments in a multi-cloud environment
23
NGINX (WEB) NGINX (WEB)
DJANGO (APP) DJANGO (APP) DJANGO (APP)
DBLB
(HAPROXY)
MYSQL MYSQL
AWS VPC
Developer’s dev deployment
VMworld 2017 Content: Not fo
r publication or distri
bution
APPLICATION SECURITY POLICY A:
Only allow SSH traffic from within subnet (i.e. jumpbox)
Only allow port 80/443 into WEB Tier
Only allow App Tier to accept traffic from Web tier
Only allow DB Tier to accept Port 3306 traffic from App
Tier
Allow DB Tier to talk to DB Tier
Summary – Security Policy Deployed using NSX CloudNSX Cloud secures dev environment
24
NGINX (WEB) NGINX (WEB)
DJANGO (APP) DJANGO (APP) DJANGO (APP)
DBLB
(HAPROXY)
MYSQL MYSQL
AWS VPC
Developer’s dev deployment
VMworld 2017 Content: Not fo
r publication or distri
bution
Cloud Administrator used NSX Cloud to secure dev
environment
Security Policy A developed – firewall rules across all tiers.
Developer deploys Production application
Cloud Administrator Security Policy A to production
environment
What can be done next?Use NSX Cloud to apply policy in ALL deployments during development lifecycle
25
NGINX
(WEB)
NGINX
(WEB)
DJANGO
(APP)
DJANGO
(APP)
DJANGO
(APP)
DBLB
(HAPROXY)
MYSQL MYSQL
AWS VPC
NGINX
(WEB)
NGINX
(WEB)
DJANGO
(APP)
DJANGO
(APP)
DJANGO
(APP)
DBLB
(HAPROXY)
MYSQL MYSQL
AWS VPC
Developer’s dev deployment
Production deployment
Application Security
Policy A
VMworld 2017 Content: Not fo
r publication or distri
bution
Understand Application Entry Point(s)
26
Will the application be accessed via a private network (VPN/Direct
Connect) or the internet?
In accessed via the internet, will an instance be directly accessed, or
will a load balancer be used?
What IP address space / DNS zone will be used for instance
management? Will this be reachable from corporate network(s)?
Operational Best Practice 1
All points will facilitate building security policy and how to enforce via
NSX Cloud, Amazon Security Groups, or a combination of the two
VMworld 2017 Content: Not fo
r publication or distri
bution
Perform Security Analysis
27
Use Network Insight to determine required flows between application
components
Group components with like requirements into NSX Cloud network
security groups
Build an NSX Cloud firewall section per application(s) with like policy
requirements
Instantiate firewall rules as identified through Network Insight
Enable AppDefense collection of intended and runtime state behavior
Operational Best Practice 2
All points will facilitate building security policy and how to enforce via
NSX Cloud, Amazon Security Groups, or a combination of the two
VMworld 2017 Content: Not fo
r publication or distri
bution
How to prepare and build images (AMIs) for EC2 instance creation
28
For existing applications:
Install Wavefront Proxy and metrics agents (Telegraf) on all instances that need monitoring and analysis
Install NSX Cloud Agents on all instances in ALL VPCs that need security management
Install Cost insight, and Network Insight vCenter Proxy VMs in all vCenter locations tied to AWS resources.
Build application “models” in Network Insight to manage applications across all AWS VPCs
For new applications:
Embed metrics agents (Telegraf) and NSX Cloud Agent in all images used by development
Install Cost insight, and Network Insight vCenter Proxy VMs in all vCenter locations tied to AWS resources.
Security Posture based on Operational Practice 2:
Build appropriate security policies (firewall rule sets) in NSX Cloud to consistently deploy across ALL applications
Ensure developers use predefined “approved” security groups for AWS
Operational Best Practice 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Enable developers to monitor and analyze applications using Wavefront
Monitoring and analysis of application and compute metrics
Continuously monitor and analyze application security and network configuration in AWS/vSphere with Network
Insights
Understanding violations, app vulnerabilities, the resolution, and continuous analysis of security policies across multiple applications in multiple AWS VPCs,
Regions and across vCenter locations.
Develop, deploy and manage consistent security policies using NSX Cloud
Develop and apply a policy for all tiers in application against development deployment across all AWS VPCs and Regions
Continuously review and understand developers spend on AWS with Discovery and Cost Insight
Analyze resources used, and cost of development, both predictively, historically, find efficiencies, and waste.
Deploy and manage applications and security policies with VMware Cloud Services
29
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud Strategy –
VMware Cloud Services Positioning and overview
Managing & Operating an application in AWS EC2 with VMware Cloud
Services
Access and use of VMware Cloud Services
Q&A
Agenda
VMworld 2017 Content: Not fo
r publication or distri
bution
Request Access @ cloud.vmware.com
VMworld 2017 Content: Not fo
r publication or distri
bution
Getting Started with VMware Cloud Services is also Easy
Visit
cloud.vmware.comRequest Access
and Get Approved
Log onto
console.cloud.vmware.comand start using
32
VMworld 2017 Content: Not fo
r publication or distri
bution
33
MMC1464QU How to Use Cloud Formations in vRealize Automation to Build Hybrid Applications That Span and Reside On-Premises & on VMware Cloud on AWS and AWS Cloud Quick Talk Vijay Raghavan, Manu Prasanna
MMC1532BU Using VMware NSX for Enhanced Networking and Security for AWS Native Workloads: Part 2 Breakout Session Amol Tipnis, Percy Wadia
MMC2046BU Using VMware NSX for Enhanced Networking and Security for AWS Native Workloads: Part 1 Breakout Session Amol Tipnis, Percy Wadia
MMC2210BU Best Practices: How the City of New York Has Configured AWS for the Best vRealize Automation Integration Breakout Session Stefan Andrieux
MMC2256BU Watching the Clouds: Challenges with Monitoring Hybrid Cloud Environments Breakout Session Craig Lee, John Dias
MMC2455BU On-Demand Disaster Recovery for Enterprise Applications with the VMware Cloud on AWS Breakout Session GS Khalsa, Mohan Potheri, Potheri Mohan
MMC2623BU Integrated Multicloud Management for Automating Standardized Security and Governance in Federal Agencies Breakout Session Kris Ostergard, Sean VanDruff, Douglas Bourgeois
MMC2820BU Deploying Applications into AWS EC2 with VMware Cross-Cloud Services Breakout Session Bahubali Shetti, Bill shetti
MMC2877BU Deep Dive into Cost Insight: Understand, Analyze, and Optimize Your Cloud Expenses (Cross-Cloud Service) Breakout Session Kumar Gaurav, Kameswaran Subramanian
MMC2884GU Manage Cross-Cloud Applications Using vRealize Operations Insight Group Discussion Karl Fultz, Manish Bhaskar
MMC2888GU How We’ve Accelerated Innovation While Keeping Our Cloud Spending in Check Group Discussion Burt Toma
MMC3062BU How Customer XYZ Secures and Monitors On-Premises Software-Defined Data Center Virtual and Physical Networks Using Network Insight SaaS Breakout Session Sean O'Dell, Manish Bhaskar
MMC3066BU How Do You Use Network Insights' SaaS to Secure Multitier Hybrid Apps Running on vSphere, VMware Cloud on AWS, and AWS Native? Breakout Session Sean O'Dell, Anuj Jaiswal
MMC3074BU 3 ways to use VMware’s new Cross-Cloud SaaS Services to efficiently run workloads across AWS, Azure and vSphere: VMware and Customer technical session Breakout Session Jason Walker, Burt Toma
MMC3110PU How IT Can Enable Development Teams to Build Apps on AWS, Azure, and VMware Without Compromising on Costs and Security Panel Discussion Mark Leake, Ben Mitchell
MMC3112BU Customer Story: Monitoring Costs and Rightsizing Workloads in AWS, Azure, and VMware-Based Clouds Breakout Session Nikhil Girdhar
MMC3164BU How Data Science is Transforming Operations: The Wavefront Story Breakout Session Dev Nag
MMC3165BU Becoming a DevOps Superhero: Introduction to Wavefront for Optimizing Cloud-Native Applications Breakout Session Stela Udovicic, Demetri Mouratis
MMC3321BUS Move, Manage, Use: The New Hybrid IT Breakout Session Donald Foster, Don Foster, Deepak Verma
MMC3406BUS Cloudy Days Ahead!! Leverage F5 to provide application continuity and consistent security policy provisioning and enforcement in an intercloud world. Breakout Session Kent Munson
MMC3424SU VMware Cloud Services and how you can leverage SaaS for your vSphere data center or the public cloud. Spotlight Session Guido Appenzeller
Sessions, Booth and Theatre Presentations for VMware Cloud Services
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution