VCAP DCD Study – Home Lab Design Part 4

Objective 2.5 – Build Performance Requirements into the Logical Design

Knowledge
1. Understand what logical performance services are provided by VMware solutions.

Memory

  • Transparent Page Sharing – Shares identical memory pages across multiple VMs. This is enabled by default. Consideration should be given to try and place similar workloads on the same hosts to gain maximum benefit.
  • Memory Ballooning – Controls a balloon driver which is running inside each VM. When the physical host runs out of memory it instructs the driver to inflate by allocating inactive physical pages. The ESXi host can uses these pages to fulfill the demand from other VMs.
  • Memory Compression – Prior to swapping, memory pages out to physical disks. The ESXi server starts to compress pages. Compared to swapping, compression can improve the overall performance in an memory over commitment scenario.
  • Swapping – As the last resort, ESXi will start to swap pages out to physical disk
  • Caching – Allows the use of SSD drives to act as a Cache quicker than using spinning disks

Disk

  • vStorage APIs for Array Integration (VAAI) –  is a feature introduced in ESXi/ESX 4.1 that provides hardware acceleration functionality. It enables your host to offload specific virtual machine and storage management operations to compliant storage hardware. With the storage hardware assistance, your host performs these operations faster and consumes less CPU, memory, and storage fabric bandwidth.
  • Storage I/O Control (SIOC) – was introduced in vSphere 4.1 and allows for cluster wide control of disk resources. The primary aim is to prevent a single VM on a single ESX host from hogging all the I/O bandwidth to a shared datastore. An example could be a low priority VM which runs a data mining type application impacting the performance of other more important business VMs sharing the same datastore.
  • vSphere Storage API’s – Storage Awareness (VASA) – VASA is a set of APIs that permits storage arrays to integrate with vCenter for management functionality

Network

  • Network IO Control (NIOC) – When network I/O control is enabled, distributed switch traffic is divided into the following predefined network resource pools: Fault Tolerance traffic, iSCSI traffic, vMotion traffic, management traffic, vSphere Replication (VR) traffic, NFS traffic, and virtual machine traffic.  You can control the bandwidth each network resource pool is given by setting the physical adapter shares and host limit for each network resource pool.

2. Identify and differentiate infrastructure qualities (Availability, Manageability, Performance, Recoverability, Security)

See Objective 2.3

3. List the key performance indicators for resource utilization.

Performance KPI’s will be Processor, Memory, Disk, and Network.

Skills and Abilities
4. Analyze current performance, identify and address gaps when building the logical design.

This should be done during the current state analysis using well documented tools such as capacity planner as well as OS tools such as perfmon and top.

5. Using a conceptual design, create a logical design that meets performance requirements.

I don’t need to use any tiered storage or resource pools in my design,  this objective is asking us to create a logical diagram to depict the performance requirements, so for example if the database needed a high amount of IOPS and the Dev servers need  lower IOPS then I would draw up a logical diagram to show the different tiers of storage and group VMs on the relevant tiers.

6. Identify performance-related functional requirements based on given non-functional requirements and service dependencies.

The non-functional requirement is I can only spend £300 on storage, this will limit my choices, so depending on what type (SSD(ha ha!) or SATA)  and how many disks I buy, I will be limited to a certain amount of IOPS.

 

7. Define capacity management practices and create a capacity plan.

Ability to utilize resources efficiently without compromising performance
Uitlizing tools to forecast resource capacity (being proactive instead of reactive)

8. Incorporate scalability requirements into the logical design.

Overprovision enough for future growth, I’ve over provisioned for my initial requirements.

9. Determine performance component of SLAs and service level management processes.

Business Capacity Mgmt

  • ensure future business requirements are understood & have sufficient capacity to meet the requirements

Service Capacity Mgmt

  • resource consumption, activity patterns/peaks/troughs of live operational services

Component Capacity Mgmt

  • performance & capacity of underlying IT service components (CPU, RAM, Disks, etc..)

 

Objective 2.6 – Build Recoverability Requirements into the Logical Design

Knowledge
1.Understand what recoverability services are provided by VMware solutions.

FT
HA
SRM
vDR
APIs needed for 3rd party solutions

2.Identify and differentiate infrastructure qualities (Availability, Manageability, Performance, Recoverability, Security)

See Objective 2.3

3.Differentiate Business Continuity and Disaster Recovery concepts.

Business continuity is a proactive action focused on avoiding or mitigating the impacts of risks before they happen.

Below points borrowed from the Brownbag VCAP DCD Study notes.

  • The business must continue to operate for weeks, months and years
  • Who, What, Where and When is needed
  • Not just technical, whole of business
  • Very Strategic

Disaster recovery is focused on how to return services after an outage or failure has occurred which is a reactive action.

  • We hoped it would never happen but it has
  • Get the business running again ASAP
  • Tactical, Technical

4. Describe and differentiate between RTO and RPO

RTO – recovery time objective; appropriate time allowed to recover a critical system.

RPO recovery point objective; appropriate recovery point of a system, determining what is ‘acceptable’ data loss.

Skills and Abilities

5.Given specific RTO and RPO requirements, build these requirements into the logical design.

Taking into account the RTO and RPO requirements what options do we have to implement a DR solution? Array based or vSphere replication? Is there network bandwidth for replication is there budget? etc etc…

6. Given recoverability requirements, identify the services that will be impacted and provide a recovery plan for impacted services.

Basically come up with a good DR plan with a detailed run book.

7.Given specific regulatory compliance requirements, build these requirements into the logical design.

Backups & retention periods can be defined by regulation.

8.Based on customer requirements, identify applicable site failure / site recovery use cases.

How will the DR site be configured? Will we use a cloud based DR? Maybe use the failover site as a dual purpose site e.g. have pre-prod workloads running in there as well as DR.

9.Determine recoverability component of SLAs and service level management processes.

Taken from the pdf on the blueprint – Practical Guide to Business Continuity and Disaster Recovery with VMware Infrastructure

In a real-world scenario, there would be an interaction with the business owners to establish SLAs and these would drive design considerations. The implementation outlined in this VMbook was designed to apply generically to as many cases as possible and was based in part on interviews with senior architects within the VMware customer base to determine a “level set” in terms of needs,requirements, and so on. Typical questions asked of these architects include the following:

What type of SLAs do you have with the business?
Recovery Point Objectives
Recovery Time Objectives

BCDR plans have traditionally been documented as runbooks – i.e., what to do if disaster strikes. Increasingly, this runbook is being automated to make the process more predictable and less prone to error. The ability to test this plan is also a key consideration.

10. Based on customer requirements, create a data retention policy.

Retention Policy – Data Recovery backups are preserved for a variable period of time. You can choose to keep more or fewer backups for a longer or shorter period of time. Keeping more backups consumes more disk space, but also provides more points in time to which you can restore virtual machines. As backups age, some are automatically deleted to make room for new backups. You can use a predefined retention policy or create a custom policy.

 

Objective 2.7 – Build Security Requirements into the Logical Design

Knowledge
1. Understand what security services are provided by VMware solutions.

  • VMware compliance checkers
  • vShield
  • Hardening guides for the relevant ESXi version

2. Identify and differentiate infrastructure qualities (Availability, Manageability, Performance, Recoverability, Security).

Covered in objective 2.3 ( I see a pattern here!)

3. Describe layered security considerations, including but not limited to Trust Zones.

Trust zones such as a DMZ, Departmental , PCI compliance, or application (3 tier app), there are three trust zone configurations: Partially Separated Physical; Partially Separated Virtual; Fully collapsed.

Can be implemented using VLANs, Firewalls, Anit-Virus, end point appliances, IDS.

Skills and Abilities

4. Identify required roles, create a role-based access model and map roles to services.

Use active directory for all access with the exception of a local admin group in case of active directory failure.

  • Where possible, grant permissions to groups rather than individual users.
  • Grant permissions only where needed. Using the minimum number of permissions makes it easier to understand and manage your permissions structure.
  • If you assign a restrictive role to a group, check that the group does not contain the Administrator user or other users with administrative privileges. Otherwise, you could unintentionally restrict administrators’ privileges in parts of the inventory hierarchy where you have assigned that group the restrictive role.
  • Use folders to group objects to correspond to the differing permissions you want to grant for them.
  • Use caution when granting a permission at the root vCenter Server level. Users with permissions at the root level have access to global data on vCenter Server, such as roles, custom attributes, vCenter Server settings, and licenses. Changes to licenses and roles propagate to all vCenter Server systems in a Linked Mode group, even if the user does not have permissions on all of the vCenter Server systems in the group.

5. Create a security policy based on existing security requirements and IT governance practices.

This is talking about security compliance policies, change policies, patching policies, configuration policies and access control.

6. Incorporate customer risk tolerance into the security policy.

I guess depending on the industry the risk tolerance can vary, for example a travel agency’s IT security policy would not be as stringent as say a company providing IT services for the military.

7. Given security requirements, assess the services that will be impacted and create an access management plan.

Not entirely sure what this is asking or referring to but assuming it’s talking about external access to secure services, will do some more digging on this one, update to follow.

8. Given a regulatory requirement example, determine the proper security solution that would comply with it.

e.g. PCI compliance or IL3 compliance, ensuring the design caters for the specific requirements and everything will come back clean if there was an audit.

9. Based upon a specified security requirement, analyze the current state for areas of compliance/non-compliance.

referring to VMware vCenter Configuration Manager which has compliance checker integrated in to the product.

10. Explain how compliance requirements will impact the logical security design

Compliance could involve purchasing specific software to meet the requirements such as vShield endpoint of Juniper virtual gateway, also extra firewalls, switches etc if physical segregation is essential.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s