VMware encryption in IBM Cloud

VMware encryption in IBM Cloud

Previously we reviewed some important characteristics and tradeoffs for various encryption at rest solutions for VMware on IBM Cloud. Below are some more detailed decision matrices for encryption both in motion and at rest.

Encryption in motion

SubjectEncryption layerEncryption methodNotes
Application trafficNetwork or lowerNoneThere are no established mesh encryption technologies for VXLAN or Geneve.
TransportTLSThis is normally enabled in application specific configuration. Special care must be taken for many requirements, e.g., to exclude older TLS and SSL versions, exclude vulnerable ciphersuites, enforce the use of appropriate certificates, and use FIPS 140-2 if required.
vSANApplicationNoneUpdate January 2021: Beginning with vSphere 7.0u1, you can enable data–in–transit encryption for host–to–host vSAN traffic.
vMotionApplicationProprietaryThis is enabled in a VM’s options, and can be set to disabled, opportunistic (default), or required.
Site to siteNetworkVMware HCX (IPsec)HCX uses a proprietary and highly efficient layer 2 transport to convey traffic from site to site through one or more IPsec tunnels using NIST Suite B AES-GCM encryption. Site to site vMotion is also supported with WAN optimization of the vMotion traffic.
IPsecIPsec connections between sites can use a variety of solutions, including NSX ESG, FortiGate virtual or physical appliance, or vSRX appliance. Occasionally L2VPN may be used in combination with IPsec. Occasionally this may be combined with GRE encapsulation to alleviate addressing and routing problems.

Encryption at rest

Note that in the table below:

Storage
Encryption method
Key manager
Key management
KMS administration
Encryption scope
Encrypted in flight to datastore?
Compatible with
vSAN dedup/compress
Cross-vCenter vMotion
vSphere replication
VMware HCX
Zerto
Veeam
HyTrust Cloud Control policies
IBM Cloud Object StorageIBM managed keys (native)n/aIBMIBMAll objectsTLSn/an/an/an/an/an/an/a
IBM Key Protect (KP) or Hyper Protect Crypto Services (HPCS)IBM KP or HPCSCustomerIBMBucketTLSn/an/an/an/an/an/an/a
IBM Cloud storage (Endurance, Performance) × (file, block)IBM managed keys (native)n/aIBMIBMEntire volumeNon/aYesYesYesYesYesNo
vSphere encryptionIBM KP or HPCSCustomerIBMVM diskYesn/aNoYesNoNoYesNo
IBM SKLMCustomerCustomerVM disk

Yes

n/aNoYesNoNoYesNo
HyTrust Key ControlCustomerCustomerVM diskYesn/aNoYesNoNoYesNo
HyTrust Data ControlHyTrust Key Control with optional HPCSCustomerCustomerVM diskYesn/aYesYesYesYesYesYes
IBM Guardium Data EncryptionGuardiumCustomerCustomerVM diskYesn/aYesYesYesYesYesNo
vSAN storagevSAN encryptionIBM KP or HPCSCustomerIBMvSAN drivesNoYesYesYesYesYesYesNo
IBM SKLMCustomerCustomervSAN drivesNoYesYesYesYesYesYesNo
HyTrust Key ControlCustomerCustomervSAN drivesNoYesYesYesYesYesYesNo
vSphere encryptionIBM KP or HPCSCustomerIBMVM diskYesNoNoYesNoNoYesNo
IBM SKLMCustomerCustomerVM diskYesNoNoYesNoNoYesNo
HyTrust Key ControlCustomerCustomerVM diskYesNoNoYesNoNoYesNo
HyTrust Data ControlHyTrust Key Control with optional HPCSCustomerCustomerVM diskYesNoYesYesYesYesYesYes
IBM Guardium Data EncryptionGuardiumCustomerCustomerVM diskYesNoYesYesYesYesYesNo

Updates to VMware on IBM Cloud

On Monday, March 25, IBM Cloud released the latest updates to our VMware Solutions offerings. The enhancements in this release include:

  • As we announced at Think 2019, IBM Cloud now offers Caveonix RiskForesight as an add–on service for your VMware vCenter Server (VCS) instance. Caveonix RiskForesight helps you to manage compliance risks with proactive monitoring and automated defense controls to protect against threats and to meet industry and government regulations.
  • You now have the option to deploy a VMware vCenter Server (VCS), hybridity bundle, or VMware vSphere Server (VSS) instance using VMware vSphere 6.7u1 and vCenter Server 6.7u1, in addition to version 6.5u2. Note that vSphere 6.7u1 is not available on all hardware combinations.
  • You now have the option to deploy a VMware vCenter Server (VCS) or hybridity bundle instance using VMware NSX-T version 2.4, in addition to NSX-V version 6.4.4. We offer NSX-T at this time for proof of concept, test, and sandbox purposes to test drive this exciting new network technology from VMware.
  • IBM Cloud has updated the versions of several add–on services available for VCS. F5 BIG–IP Virtual Edition is updated to V14.1.0.2; HyTrust Cloud Control is updated to V5.4.2; Zerto Virtual Replication is updated to V6.5 update 3; and Veeam Backup & Replication is updated to V9.5 update 4.
  • The latest version of Veeam now supports IBM Cloud Object Storage as a storage tier, which enables much more cost effective long–term storage for your virtual machine backups.
  • IBM Cloud for VMware Solutions now deploys new ESXi servers for your VCS instance with secure shell (SSH) disabled.
  • You can now simultaneously add or remove ESXi servers from multiple clusters in a VCS instance.
  • You now have the option to add new ESXi servers to their VCS clusters in maintenance mode. This allows you to perform custom configuration on these servers before any virtual machines run on that server.
  • IBM Cloud for VMware Solutions now provides a REST API that you can use to deploy and delete VCS instances, clusters, and hosts.
  • IBM Cloud increased the maximum size of Endurance file storage for a VCS instance from 12 TB to 24 TB. The larger sizes are available at performance levels of 0.25, 2, and 4 IOPS/GB.
  • IBM Cloud’s KMIP for VMware key management service offering is now available in the Sydney multi–zone region (MZR).
  • You can now display the VLANs and subnets allocated to your VCS instance on the instance’s Infrastructure view in the IBM Cloud portal.

Additionally, you should be aware of the following announcements:

  • Beginning May 13, IBM Cloud will no longer support VMware Cloud Foundation (VCF). IBM Cloud is actively working with existing VCF customers on a transition or migration plan.
  • Beginning in August, IBM Cloud for VMware Solutions will no longer support VLAN spanning. If you are using VLAN spanning, you should convert your account to Virtual Routing and Forwarding (VRF) by this time. Additionally, you will be required to enable Service Endpoints for your account by this time.

For details on all of these features and announcements, see the IBM Cloud for VMware Solutions release notes and related documentation.

IBM Cloud for VMware at Think 2019

IBM Cloud for VMware at Think 2019

IBM Cloud for VMware Solutions had a strong presence at the IBM Think 2019 conference in San Francisco last week, with many main stage announcements, think tank discussions, and breakout sessions.

See the IBM Cloud blog for the full list of our announcements: VMware on IBM Cloud at Think 2019.

There was particularly strong interest in our forthcoming offering of Caveonix RiskForesight on IBM Cloud. RiskForesight provides a set of powerful compliance monitoring, remediation, and reporting capabilities for both your cloud and on-premises workloads. We are very excited to be working with Caveonix!

riskforesight-2-01__1532356329347

Large file transfers into the IBM Cloud

I like to use IBM Cloud Object Storage to transfer large files (e.g., an OVA file) into the IBM Cloud infrastructure private network. Here’s how I do it:

  1. Order an instance of Cloud Object Storage if you don’t already have one
  2. Create a storage bucket with the region and storage class of your choice if you don’t already have one
  3. Create a COS service credential. To ensure interoperability with standard S3 tools, you should create an HMAC style credential. You can do this by adding an {"HMAC":true} configuration parameter when creating the credential.
  4. Download the S3 tool of your choice. I like to use the awscli tool:
      1. pip install awscli
      2. Edit the file ~/.aws/credentials to specify your credentials created above:
        [default]
        aws_access_key_id=...
        aws_secret_access_key=...
  5. Now you can use the aws tool to copy a file to your bucket and to generate a presigned URL that you can use to download it:
    aws --endpoint=https://s3-api.us-geo.objectstorage.softlayer.net s3 cp filename s3://bucketname/
    aws --endpoint=https://s3-api.us-geo.objectstorage.softlayer.net s3 presign s3://bucketname/filename --expires-in 31536000
    # returns a URL that you can then use with curl
  6. You can use this URL within the IBM Cloud private network to download your file. For example, I can SSH to an ESXi host and use wget to download an OVA file directly to my vSAN datastore. You’ll need to be sure to adjust the URL to use the correct private endpoint for your storage region.

Two!

Two!

Happy birthday to IBM Cloud for VMware Solutions! Two years ago today VMware Cloud Foundation and VMware vCenter Server on IBM Cloud became generally available. Sixteen releases later, we’ve come a long way! If you’re in Barcelona for VMworld 2018, stop by our booth and say hi!

Spectrum Protect Plus on IBM Cloud

Spectrum Protect Plus on IBM Cloud

IBM Cloud for VMware Solutions recently made available IBM Spectrum Protect Plus as part of our family of VMware offerings. Spectrum Protect Plus provides powerful and easy to use backup and restore capabilities for your VMware infrastructure and workload. It is now the default backup offering for VMware on IBM Cloud, complementing our existing offering of Veeam Backup & Replication.

At the same time, the IBM Cloud architecture team just published our Spectrum Protect Plus on IBM Cloud reference architecture. Read it and the associated references for information on how we have deployed Spectrum Protect Plus, how you should plan and size your deployment, and how to manage it.

VMware on IBM Cloud architecture updates

VMware on IBM Cloud architecture updates

Recently the IBM Cloud for VMware architecture team posted two new networking related architecture documents related to VMware on the IBM Cloud:

FortiGate Virtual Appliance: IBM Cloud for VMware offers the FortiGate–VM virtual appliance to complement our existing physical FortiGate Security Appliance offering. The physical offering is limited to providing edge services for your VMware workload, while the virtual offering allows you to provide security services across all of your VMware networks.

F5 BIG–IP: IBM Cloud for VMware offers F5 BIG–IP virtual edition, providing load balancing, traffic management, and security services for your applications.

 

Updates to VMware HCX on IBM Cloud

Updates to VMware HCX on IBM Cloud

IBM Cloud announced plans to offer VMware HCX included with our IBM Cloud for VMware offerings: Helping simplify cloud migration with updates to VMware HCX on IBM Cloud.

VMware is unifying their networking strategy around the Virtual Cloud Network, and as part of this, HCX (Hybrid Cloud Extension) will now be named NSX Hybrid Connect: VMware Advances Networking for the Digital Era with the Virtual Cloud Network.

Encryption at rest for VMware on IBM Cloud

Encryption at rest for VMware on IBM Cloud

One of the key topics we covered as part of our Fast Start education was encryption at rest for VMware on the IBM Cloud. There are many options for encrypting your workloads at rest, including:

  • VMware vSAN encryption
  • VMware vSphere encryption
  • HyTrust Data Control, part of IBM Cloud Secure Virtualization
  • Any other existing encryption solution you wish to bring to IBM Cloud

The first three offerings are available today directly from IBM Cloud for VMware Solutions, although some assembly is required in each case. There are important tradeoffs between these options that you need to take into consideration, such as ease of use, interoperability with other solutions like workload migration tooling, and the nature of what is encrypted. The following table that I shared at Fast Start summarizes the differences between these solutions:

Comparison vSAN encryption vSphere encryption HyTrust Data Control
Encryption type Datastore disks encrypted @ hypervisor

Secures: disk drives

VM disks encrypted @ hypervisor

Secures: VMDK files, disk traffic en route to datastore

Agent-based encryption of disks within VM

Secures: VMDK files, disk traffic en route to datastore

Key management External KMS must be provided (not included) supporting KMIP 1.1 (e.g., IBM KMIP for VMware, IBM SKLM, or HyTrust Key Control) External KMS must be provided (not included) supporting KMIP 1.1 (e.g., IBM KMIP for VMware, IBM SKLM, or HyTrust Key Control) HyTrust Key Control (included)
Additional capabilities Together with HyTrust Cloud Control, provides advanced access control, auditing, approval, and compliance capabilities; and enables Boundary Control for geofencing and hardware trust
Cost
  • vSAN Enterprise is required (per socket)
  • Key management server
Key management server
  • HyTrust Data Control (per socket)
  • HyTrust Cloud Control (optional, per socket)
Limitations
  • Not compatible with other storage types (e.g., IBM Cloud Endurance storage, NetApp ONTAP Select)
  • Does not encrypt storage traffic in flight between hosts
Eliminates benefit of vSAN deduplication and compression Eliminates benefit of vSAN deduplication and compression
Migration Compatible with all migration technologies
  • Compatible with Veeam
  • Compatible with VMware SRM when using array based replication
  • Not currently compatible with VMware HCX
  • Not currently compatible with Zerto
  • Not currently compatible with vSphere replication
  • Not currently compatible with cross-vCenter vMotion
Compatible with all migration technologies provided that HyTrust key management server availability and host compliance (if applicable) are maintained across sites. Some extra recovery steps are required post migration if the workload IP addressing has changed.

VMware around the world

VMware around the world

I just returned from a two–week trip as part of IBM’s Fast Start conference. We visited Madrid and Bangkok; next week the conference travels to Las Vegas. Fast Start is designed to enable IBM’s sales and tech sales teams, as well as our business partners, to more effectively sell and solution IBM’s offerings.

VMware on IBM Cloud was a big part of this conference! We provided training for sellers on IBM Cloud’s VMware portfolio, and deep dives for our technical sellers and partners on VMware solutioning, networking, storage, security, and encryption. By far the most popular sessions were on the new VMware Hybrid Cloud Extension (HCX) offering that we released in January. HCX radically simplifies the VMware workload migration process, and many IBM Cloud VMware engagements around the world are now looking to HCX as their solution for cloud migration. I’m excited to see the momentum of VMware on IBM Cloud building in 2018.