VMware encryption in IBM Cloud

VMware encryption in IBM Cloud

Previously we reviewed some important characteristics and tradeoffs for various encryption at rest solutions for VMware on IBM Cloud. Below are some more detailed decision matrices for encryption both in motion and at rest.

Encryption in motion

SubjectEncryption layerEncryption methodNotes
Application trafficNetwork or lowerNoneThere are no established mesh encryption technologies for VXLAN or Geneve.
TransportTLSThis is normally enabled in application specific configuration. Special care must be taken for many requirements, e.g., to exclude older TLS and SSL versions, exclude vulnerable ciphersuites, enforce the use of appropriate certificates, and use FIPS 140-2 if required.
vSANApplicationNoneVMware does not support encryption of host to host vSAN traffic currently.
vMotionApplicationProprietaryThis is enabled in a VM’s options, and can be set to disabled, opportunistic (default), or required.
Site to siteNetworkVMware HCX (IPsec)HCX uses a proprietary and highly efficient layer 2 transport to convey traffic from site to site through one or more IPsec tunnels using NIST Suite B AES-GCM encryption. Site to site vMotion is also supported with WAN optimization of the vMotion traffic.
IPsecIPsec connections between sites can use a variety of solutions, including NSX ESG, FortiGate virtual or physical appliance, or vSRX appliance. Occasionally L2VPN may be used in combination with IPsec. Occasionally this may be combined with GRE encapsulation to alleviate addressing and routing problems.

Encryption at rest

Note that in the table below:

  • While IBM Cloud Object Storage (COS) cannot function as a VMware vSphere datastore, it may be used for other aspects of your VMware environment, such as Veeam backup repositories or data accessed directly by your applications. Compatibility statements for Cloud Object Storage are not applicable since it does not serve as disk storage for virtual machines.
  • IBM Key Protect and IBM Hyper Protect Crypto Services are IBM Cloud key management service offerings. These interface directly with some IBM Cloud services like COS, and indirectly with VMware vSphere and vSAN encryption using the IBM Cloud KMIP for VMware intermediary service.
  • IBM Security Key Lifecycle Manager (SKLM) and IBM Guardium Data Encryption are two key management and encryption software offerings from IBM.
  • Compatibility statements imply “when properly configured.” For example, the HyTrust Key Control and Guardium KMS must be remain available or must be recovered in case of a disaster; and Veeam in some cases is limited to the HotAdd transport mode.
  • HyTrust Key Control can be deployed as a standalone KMS, but it also serves as the underlying KMS for HyTrust Data Control. HyTrust Cloud Control offers advanced VM placement policy control and geofencing when combined with HyTrust Data Control.
Storage
Encryption method
Key manager
Key management
KMS administration
Encryption scope
Encrypted in flight to datastore?
Compatible with
vSAN dedup/compress
Cross-vCenter vMotion
vSphere replication
VMware HCX
Zerto
Veeam
HyTrust Cloud Control policies
IBM Cloud Object StorageIBM managed keys (native)n/aIBMIBMAll objectsTLSn/an/an/an/an/an/an/a
IBM Key Protect (KP) or Hyper Protect Crypto Services (HPCS)IBM KP or HPCSCustomerIBMBucketTLSn/an/an/an/an/an/an/a
IBM Cloud storage (Endurance, Performance) × (file, block)IBM managed keys (native)n/aIBMIBMEntire volumeNon/aYesYesYesYesYesNo
vSphere encryptionIBM KP or HPCSCustomerIBMVM diskYesn/aNoNoNoNoYesNo
IBM SKLMCustomerCustomerVM disk

Yes

n/aNoNoNoNoYesNo
HyTrust Key ControlCustomerCustomerVM diskYesn/aNoNoNoNoYesNo
HyTrust Data ControlHyTrust Key ControlCustomerCustomerVM diskYesn/aYesYesYesYesYesYes
IBM Guardium Data EncryptionGuardiumCustomerCustomerVM diskYesn/aYesYesYesYesYesNo
vSAN storagevSAN encryptionIBM KP or HPCSCustomerIBMvSAN drivesNoYesYesYesYesYesYesNo
IBM SKLMCustomerCustomervSAN drivesNoYesYesYesYesYesYesNo
HyTrust Key ControlCustomerCustomervSAN drivesNoYesYesYesYesYesYesNo
vSphere encryptionIBM KP or HPCSCustomerIBMVM diskYesNoNoNoNoNoYesNo
IBM SKLMCustomerCustomerVM diskYesNoNoNoNoNoYesNo
HyTrust Key ControlCustomerCustomerVM diskYesNoNoNoNoNoYesNo
HyTrust Data ControlHyTrust Key ControlCustomerCustomerVM diskYesNoYesYesYesYesYesYes
IBM Guardium Data EncryptionGuardiumCustomerCustomerVM diskYesNoYesYesYesYesYesNo

Provisioning and expanding an IBM Cloud VMware instance via API

IBM Cloud for VMware Solutions recently released a set of public APIs. These APIs allow you to use your IBM Cloud API key to perform operations such as:

  • Get information about your vCenter instance, admin credentials, deployment history, clusters, and hosts
  • Verify parameters for ordering a new vCenter instance, cluster, or hosts
  • Order or remove a vCenter instance, cluster, or hosts

I’ve written some sample code demonstrating how you can authenticate with the IBM Cloud APIs using your API key, and how to interact with the IBM Cloud for VMware APIs. Note that these samples only perform order verification, but you can easily extend them to perform actual orders or removals.

A key use case for these APIs is to expand and contract your VMware instance based on utilization or for workload bursting scenarios. With these APIs, you can now fully automate this process.

Updates to VMware on IBM Cloud

On Monday, March 25, IBM Cloud released the latest updates to our VMware Solutions offerings. The enhancements in this release include:

  • As we announced at Think 2019, IBM Cloud now offers Caveonix RiskForesight as an add–on service for your VMware vCenter Server (VCS) instance. Caveonix RiskForesight helps you to manage compliance risks with proactive monitoring and automated defense controls to protect against threats and to meet industry and government regulations.
  • You now have the option to deploy a VMware vCenter Server (VCS), hybridity bundle, or VMware vSphere Server (VSS) instance using VMware vSphere 6.7u1 and vCenter Server 6.7u1, in addition to version 6.5u2. Note that vSphere 6.7u1 is not available on all hardware combinations.
  • You now have the option to deploy a VMware vCenter Server (VCS) or hybridity bundle instance using VMware NSX-T version 2.4, in addition to NSX-V version 6.4.4. We offer NSX-T at this time for proof of concept, test, and sandbox purposes to test drive this exciting new network technology from VMware.
  • IBM Cloud has updated the versions of several add–on services available for VCS. F5 BIG–IP Virtual Edition is updated to V14.1.0.2; HyTrust Cloud Control is updated to V5.4.2; Zerto Virtual Replication is updated to V6.5 update 3; and Veeam Backup & Replication is updated to V9.5 update 4.
  • The latest version of Veeam now supports IBM Cloud Object Storage as a storage tier, which enables much more cost effective long–term storage for your virtual machine backups.
  • IBM Cloud for VMware Solutions now deploys new ESXi servers for your VCS instance with secure shell (SSH) disabled.
  • You can now simultaneously add or remove ESXi servers from multiple clusters in a VCS instance.
  • You now have the option to add new ESXi servers to their VCS clusters in maintenance mode. This allows you to perform custom configuration on these servers before any virtual machines run on that server.
  • IBM Cloud for VMware Solutions now provides a REST API that you can use to deploy and delete VCS instances, clusters, and hosts.
  • IBM Cloud increased the maximum size of Endurance file storage for a VCS instance from 12 TB to 24 TB. The larger sizes are available at performance levels of 0.25, 2, and 4 IOPS/GB.
  • IBM Cloud’s KMIP for VMware key management service offering is now available in the Sydney multi–zone region (MZR).
  • You can now display the VLANs and subnets allocated to your VCS instance on the instance’s Infrastructure view in the IBM Cloud portal.

Additionally, you should be aware of the following announcements:

  • Beginning May 13, IBM Cloud will no longer support VMware Cloud Foundation (VCF). IBM Cloud is actively working with existing VCF customers on a transition or migration plan.
  • Beginning in August, IBM Cloud for VMware Solutions will no longer support VLAN spanning. If you are using VLAN spanning, you should convert your account to Virtual Routing and Forwarding (VRF) by this time. Additionally, you will be required to enable Service Endpoints for your account by this time.

For details on all of these features and announcements, see the IBM Cloud for VMware Solutions release notes and related documentation.

IBM Cloud for VMware at Think 2019

IBM Cloud for VMware at Think 2019

IBM Cloud for VMware Solutions had a strong presence at the IBM Think 2019 conference in San Francisco last week, with many main stage announcements, think tank discussions, and breakout sessions.

See the IBM Cloud blog for the full list of our announcements: VMware on IBM Cloud at Think 2019.

There was particularly strong interest in our forthcoming offering of Caveonix RiskForesight on IBM Cloud. RiskForesight provides a set of powerful compliance monitoring, remediation, and reporting capabilities for both your cloud and on-premises workloads. We are very excited to be working with Caveonix!

riskforesight-2-01__1532356329347

Large file transfers into the IBM Cloud

I like to use IBM Cloud Object Storage to transfer large files (e.g., an OVA file) into the IBM Cloud infrastructure private network. Here’s how I do it:

  1. Order an instance of Cloud Object Storage if you don’t already have one
  2. Create a storage bucket with the region and storage class of your choice if you don’t already have one
  3. Create a COS service credential. To ensure interoperability with standard S3 tools, you should create an HMAC style credential. You can do this by adding an {"HMAC":true} configuration parameter when creating the credential.
  4. Download the S3 tool of your choice. I like to use the awscli tool:
      1. pip install awscli
      2. Edit the file ~/.aws/credentials to specify your credentials created above:
        [default]
        aws_access_key_id=...
        aws_secret_access_key=...
  5. Now you can use the aws tool to copy a file to your bucket and to generate a presigned URL that you can use to download it:
    aws --endpoint=https://s3-api.us-geo.objectstorage.softlayer.net s3 cp filename s3://bucketname/
    aws --endpoint=https://s3-api.us-geo.objectstorage.softlayer.net s3 presign s3://bucketname/filename --expires-in 31536000
    # returns a URL that you can then use with curl
  6. You can use this URL within the IBM Cloud private network to download your file. For example, I can SSH to an ESXi host and use wget to download an OVA file directly to my vSAN datastore. You’ll need to be sure to adjust the URL to use the correct private endpoint for your storage region.

Case study: publicly connected VMware virtual machine on IBM Cloud

Background

IBM Cloud for VMware Solutions deploys VMware vCenter Server (VCS) environments using a network architecture consisting of three VLANs: one private VLAN used for management traffic and for NSX VTEPs, a second private VLAN used for storage traffic and vMotion, and a public VLAN.

Initially a sample NSX configuration is deployed for your use, including a distributed logical router (DLR), and an edge services gateway (ESG) that provides NAT service outbound from a logical switch (VXLAN) to both the IBM Cloud private network (10.0.0.0/8 addresses) and the public Internet.

edge-servicesThe simple case is to deploy your virtual machines onto the logical switch and take advantage of the ESG to access the private and public networks. (Note that the ESG is initially configured with the sample NAT rule disabled, so you will need to enable it.) However, in our case study we want to deploy a virtual machine that will be used as part of the management stack to manage vCenter, ESXi hosts, and deploy workloads into vCenter. As a result, we prefer to have our virtual machine live directly on the private management network, but it will still need access to the public network, for example to download updates. This means we will need both to assign a private IP to the VM, and also to reconfigure the ESG to provide NAT from the private network to the public network.

Additional Details

You can discover the management VLAN on which your VCS instance is deployed by logging into the IBM Cloud infrastructure portal, displaying details for your bare metal servers, and identifying the Private interface. This information is important if you later need to order additional private portable IP addresses for your use. IBM Cloud infrastructure provides two different kinds of IP addresses: (1) primary subnets whose allocation IBM Cloud manages for bare metal servers and virtual servers, and (2) portable subnets whose allocation is typically managed by you and not by IBM Cloud. Note however that IBM Cloud for VMware Solutions orders and manages several portable subnets for your VCS instance. The only portable subnets associated with the VCS that are available for your use are those that are attached to the private and public interfaces of the sample ESG deployed in your instance. We will use one of these addresses for our VM’s deployment.

Procedure

  1. Establish connectivity to your VCS environment (e.g., using the IBM Cloud VPN)
  2. Login to your vCenter web client UI
  3. Click the Home icon and navigate to Networking & Security
  4. Select NSX Edges and double click on the customer-nsx-edge
  5. Select the Manage tab, Settings item, and view the list of Interfaces. Note the interface with a 10.x.x.x/26 address. This represents the private portable subnet available to you for your use. One IP address is used by the ESG but the remaining addresses (excluding the network address, gateway address = network+1, broadcast address) are available to you for your use. The ESG can be configured to serve as a NAT for any address in the same subnet as itself. Note well that you will be responsible to manage the assignment of addresses within this subnet to prevent conflict!
  6. Configure the ESG firewall to allow outbound traffic from the 10.x.x.x/26 network
    1. Select the Firewall tab and add a new rule after the “All outgoing customer VMs” rule
    2. Configure this rule to allow outgoing traffic from the management network; the source IP specification should be the same subnet as the ESG, for example 10.123.171.128/26
    3. Click to Publish Changes
  7. Configure the ESG to NAT traffic from the private to the public network
    1. Select the NAT tab and add a new SNAT rule
    2. Configure this rule to operate on the Public Uplink, for all protocols, for the source IP range matching the ESG subnet (e.g., 10.123.171.128/26), and with a translated IP address matching the public IP address for the ESG (use the same address as the existing NAT rule). Ensure that the rule is enabled.
    3. Click to Publish Changes
  8. Deploy and configure your virtual machine
    1. IBM Cloud maintains a mirror of many popular Linux distributions, available only on the private network.
    2. Ensure that your VM is attached to the management network. Attach its adapter to the SDDC-DPortGroup-Mgmt port group.
    3. Configure the network adapter using an address from the ESG subnet. Set its default gateway to point to the ESG rather than to the IBM Cloud backend customer router (BCR). Identify the DNS server(s) for your instance by viewing one of your hosts’ TCP/IP configuration in vCenter. For example, if using RHEL:
      # ifcfg-ens192
      HWADDR=00:50:56:b0:88:39
      NAME=ens192
      GATEWAY=10.123.171.132
      DNS1=10.123.158.32
      DOMAIN=example.com
      DEVICE=ens192
      ONBOOT=yes
      USERCTL=no
      BOOTPROTO=static
      NETMASK=255.255.255.192
      IPADDR=10.123.171.133
      NETWORK=10.123.171.128
      BROADCAST=10.123.171.191
    4. Configure the adapter’s static routes to point to the BCR (i.e., the subnet gateway address) for all private network addresses. Note that IBM Cloud uses both subnets 10.0.0.0/8 and 161.26.0.0/16 for internal traffic. For example, if using RHEL:
      # route-ens192
      10.0.0.0/8 via 10.123.171.129 dev ens192
      161.26.0.0/16 via 10.123.171.129 dev ens192
    5. Configure NTP to point to time.service.networklayer.com

The result is that we can access both the private and public networks from our VM:

[root@localhost ~]# ### Ping vCenter
[root@localhost ~]# ping -c 1 10.123.170.130 | fgrep transmitted
1 packets transmitted, 1 received, 0% packet loss, time 0ms
[root@localhost ~]# ### Ping Google DNS
[root@localhost ~]# ping -c 1 8.8.8.8 | fgrep transmitted
1 packets transmitted, 1 received, 0% packet loss, time 0ms

Spectrum Protect Plus on IBM Cloud

Spectrum Protect Plus on IBM Cloud

IBM Cloud for VMware Solutions recently made available IBM Spectrum Protect Plus as part of our family of VMware offerings. Spectrum Protect Plus provides powerful and easy to use backup and restore capabilities for your VMware infrastructure and workload. It is now the default backup offering for VMware on IBM Cloud, complementing our existing offering of Veeam Backup & Replication.

At the same time, the IBM Cloud architecture team just published our Spectrum Protect Plus on IBM Cloud reference architecture. Read it and the associated references for information on how we have deployed Spectrum Protect Plus, how you should plan and size your deployment, and how to manage it.