Secure Multi-Tenancy from VMware, Cisco, and NetApp

NetApp, Cisco, and VMware held a joint webinar to discuss a collaborative solution to provide a secure multi-tenant platform for solution providers.  The goal is to provide the benefits of shared infrastructure, particularly converting IT assets from expenses to strategic business opportunities, while at the same time maintaining the isolation, security, predictability, and quality of service that IT came to expect from their independent silos in traditional environments.

Before I get into a breakdown of what was discussed and how this solution can help offer the best of both worlds, I want to discuss how we got to this point and it all starts with virtualization and the need or want to consolidate infrastructure.  In the past, resources (compute, storage, network) were spun up when needed for a new application which led to each application existing in an independent, predictable silo of resources.  The advantage of the silo is that the application owners knew what to expect from the resources.  This unfortunately leads to inefficient utilization of those resources.  Businesses flocked to virtualization solutions because of the cost savings derived from less servers, storage, and networking equipment in the datacenter – less to manage, less to power and cool, higher utilization.  Then, solution providers in the cloud realized they could take this to the next level and host low-cost, shared infrastructure for their customers.  Virtualization promised to increase the utilization while still maintaining this separation but in reality we’ve come to understand that multi-tenancy needs further separation than just the fact that each customer has independent VMs.  Each customer feels a bit funny about having their VMs running on the same hosts, network, and underlying storage.  They want their silos.

Enter Secure Multi-Tenancy architecture from NetApp, Cisco, and VMware.  This solution combines the features of their solutions – Multistore, VN-Link, and vShields respectively – to allow cloud solution providers to offer the benefits of virtualization and the advantages of the traditional silos by segmenting the shared resources into discrete independently manageable resources.  For example, a provider can allocate separate logical storage systems or virtual storage appliances on a single NetApp system similar to how we create logical virtual machines on a single server.  Management access to these vFilers can even be granted to the customer to provision as they wish.  From the validated solution guide produced by Cisco:

“Providers can leverage NetApp MultiStore to enable multiple customers to share the same storage resources with minimal compromise in privacy or security, and even delegate administrative control of the virtual storage container directly to the customer.”

At first I began thinking that we are in this nasty circular back and forth between sharing virtualized infrastructure and the “siloing” of resources.  When indeed there needs to be a balance between the two and this appears to be a good start by these major players at achieving this balance.  There truly is a need to collaborate to make sure all layers of the stack are represented and operate well together.  Virtualization-aware solutions continue to open our eyes to new use cases and will continue to do so.  I just can’t wait for desktop virtualization to become as mature as server virtualization at which point we will see some remarkable capabilities.  Just think… shared virtual desktops that grant significant efficiencies to the solution providers and the security, segregation, and reliability demanded by the customers.

XenDesktop on VMware ESX infrastructure: Creating Desktop Groups

There are three methods for allowing Xen Desktop Delivery Controller access to VirtualCenter in order to create a new desktop group:

Allow HTTP access to the SDK on the vCenter (VirtualCenter) web server.

Modify the proxy.xml file on the virtualCenter server located in c:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\

The section

<_type>vim.ProxyService.NamedPipeServiceSpec</_type>

<accessMode>HttpsandRedirect</accessMode>

<pipeName>\\.\pipe\vmware-vpxd-webserver-pipe</pipeName>

<serverNamespace>/client/clients.xml</serverNamespace>

Change to

<_type>vim.ProxyService.NamedPipeServiceSpec</_type>

<accessMode>httpAndHttps</accessMode>

<pipeName>\\.\pipe\vmware-vpxd-webserver-pipe</pipeName>

<serverNamespace>/client/clients.xml</serverNamespace>

Restart the VMware VirtualCenter Server service (vpxd) on the VirtualCenter host.

Import the defaul VMware SSL certificate into the Xen Desktop Delivery Controller. (not recommeded in a production environment because you must use the defaul certificate hostname of “vmware”

Copy rui.crt from c:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL to the Xen Desktop Delivery Controller server

Import the certificate into the Trusted Root Authority for the computer account

Open the Certificates Snap-in in an MMC console and choose to manage the Computer account

Expand down to Trusted Root Certificate Authorities and right-click on Certificates and choose Import…

Use the wizard to select the rui.crt file that you copied from the VirtualCenter server

Close the MMC

Edit the hosts file in %windir%\system32\drivers\etc with notepad and add the following and save the file:

vmware <ip of your virtualcenter server>

Use an SSL certificate from a trusted root authority.

This process involves creating an SSL certificate for you VirtualCenter server and configuring IIS to use this certificate.  This is a well documented procedure.  See VMware and IIS documentation for this procedure.