May 13

Using VLANs to Isolate Traffic

Using VLANs in vSphere helps you adapt the environment to network changes. VLAN modes overcome the limitations of the networking equipment and of host physical connectivity.

Rating: 5/5


Apr 29

VXLAN Virtual Wires, Part Two, Creating Virtual Wires

R&D Manager Sachin Thakkar shows you how to prepare your physical network for VXLAN virtual wires and then takes you through the procedure of creating a VXLAN virtual wire.

Rating: 5/5


Apr 28

VXLAN Virtual Wires, Part one, Overview

Using VLANs in vSphere helps you adapt the environment to network changes. VLAN modes overcome the limitations of the networking equipment and of host physical connectivity.

Rating: 5/5


Apr 24

Load Balancing Algorithms available for Virtual Switches in vSphere 6.0

In this video you will learn about the available load balanccing algorithms in vSphere 6.0.

Rating: 5/5


Apr 24

Best Practices for using VMware Converter

This video provides an overview of the best practices for converting a machine with VMware Converter. This video is based on VMware knowledge base article 1004588. This video also provides tips to consider when converting your machine. The video can help you avoid some of these errors:
Unknown error returned by VMware Converter Agent
Out of disk space
Failed to establish Vim connection
Import host not found
P2VError UFAD_SYSTEM_ERROR(Internal Error)
Pcopy_CloneTree failed with err=80
The file exists (80)
Failed to connect
Giving up trying to connect
Failed to take snapshot of the source volume
stcbasic.sys not installed or snapshot creation failed. err=2
Can’t create undo folder
sysimage.fault.FileCreateError
sysimage.fault.ReconfigFault
sysimage.fault.PlatformError
Number of virtual devices exceeds maximum for a given controller
TooManyDevices
QueryDosDevice: ret=270 size=1024 err=0
Error opening disk device: Incorrect function (1)
Vsnap does not have admin rights
Specified key identifier already exists
vim.fault.NoDiskSpace
Check out Amazon’s selection of books on VMware: http://amzn.to/2pZInmt

Rating: 5/5


Apr 16

How to expand a VMDK and extend a partition in Windows for VMware ESX

http://kb.vmware.com/kb/1007266 This video steps you through expanding a VMDK and extending a partition using DiskPart. Essentially, this allows for expanding the virtual disk for virtual machines in VMware ESX.
Check out Amazon’s selection of books on VMware: http://amzn.to/2pZInmt

Rating: 5/5


Mar 14

Roles, Privileges and Permissions in the vSphere Web Client

Senior Staff Engineer Peter Shepherd discusses privileges, roles, and permissions, and demonstrates how to create a virtual machine administrator role in the vSphere Web Client.

Rating: 5/5


Mar 14

Migrating Host Networking to a vSphere Distributed Switch

Senior Staff Engineer Peter Shepherd shows you how to easily migrate host networking from a vSphere Standard Switch to a vSphere Distributed Switch in a single workflow.

Rating: 5/5


Mar 14

vSphere Network I/O Control, Version 3

vSphere network I/O control version 3, available in vSphere 6.0, offers granular network resource reservation and allocation across the entire switch.

Rating: 5/5


Mar 12

VMware vSphere Virtual Machine Encryption Performance

Executive Summary

VMware vSphere® virtual machine encryption (VM encryption) is a feature introduced in vSphere 6.5 to enable the encryption of virtual machines. VM encryption provides security to VMDK data by encrypting I/Os from a virtual machine (which has the VM encryption feature enabled) before it gets stored in the VMDK. In this paper, we quantify the impact of using VM encryption on a VM’s I/O performance as well as on some of the VM provisioning operations like VM clone, power-on, and snapshot creation. We show that while VM encryption can lead to bottlenecks in I/O throughput and latency for ultra-high-performance devices (like a high-end NVMe drive) that can support hundreds of thousands of IOPS, for most regular types of storage, like enterprise class SSD or VMware vSAN™, the impact on I/O performance is very minimal.

Introduction

VM encryption supports the encryption of virtual machine files, virtual disk files, and core dump files. Some of the files associated with a virtual machine like log files, VM configuration files, and virtual disk descriptor files are not encrypted. This is because they mostly contain non-sensitive data and operations like disk management should be supported whether or not the underlying disk files are secured. VM encryption uses vSphere APIs for I/O filtering (VAIO), henceforth referred to as IOFilter.

IOFilter is an ESXi framework that allows the interception of VM I/Os in the virtual SCSI emulation (VSCSI) layer. On a high level, the VSCSI layer can be thought of as the layer in ESXi just below the VM and above the VMFS file system. The IOFilter framework enables developers, both VMware and third party vendors, to write filters to implement more services using VM I/Os like encryption, caching, and replication. This framework is implemented entirely in user space. This allows the VM I/Os to be isolated cleanly from the core architecture of ESXi, thereby eliminating any potential issues to the core functionality of the hypervisor. In case of any failure, only the VM in question would be affected. There can be multiple filters enabled for a particular VM or a VMDK, and these filters are typically chained in a manner shown below, so that I/Os are processed by each of these filters serially, one after the other, and then finally either passed down to VMFS or completed within one of the filters. This is illustrated in Figure 1.
IOFilter design

VM Encryption Overview

The primary purpose of VM encryption is to secure the data in VMDKs, such that when the VMDK data is accessed by any unauthorized entity, it gets only meaningless data. The VM that legitimately owns the VMDK has the necessary key to decrypt the data whenever read and then fed to the guest operating system. This is done using industry-standard encryption algorithms to secure this traffic with minimal overhead.
While VM encryption does not impose any new hardware requirements, using a processor that supports the AES-NI instruction set would speed up the encryption/decryption operation. In order to quantify the performance expectations on a traditional server without an AES-NI enabled processor, the results in this paper are from slightly older servers that do not support the AES-NI instruction set.

Design

VM Encryption Components
Figure 2 shows the various components involved as part of the VM encryption mechanism. It consists of an external key management server (KMS), the vCenter Server system, and an ESXi host or hosts. vCenter Server requests keys from an external KMS, which generates and stores the keys and passes them down to vCenter Server for distribution. An important aspect to note is that there is no “per-block hashing” for the virtual disk.

This means, VM encryption provides data protection against snooping and not against data corruption since there is no hash for detecting corruption and recovering from it. For more security, the encryption takes into account not only the encryption key, but also the block’s address. This means two blocks of a VMDK with the same content encrypt to different data.

Key Management

To visualize the mechanism of encryption (and decryption), we need to look at how the various elements in the security policy are laid out topologically. The KMS is the central server in this security-enabled landscape. Figure 3 shows a simplified topology.
Encryption-enabled vCenter Server (VC) topology width=

The KMS is a secure centralized repository of cryptographic keys. There can be more than one KMS configured with a vCenter Server. However, they need to be configured such that only KMSs that replicate keys between themselves (usually from the same vendor) should be added to the same KMS cluster. Otherwise each KMS should be added under a different KMS cluster. One of the KMS clusters must be designated as the default in vCenter Server. Only Key Management Interoperability Protocol (KMIP) v1.1 compliant KMSs are supported and vCenter Server is the client of KMS. Using KMIP enables vCenter Server to talk to any KMIP compliant KMS vendor. Before transacting with the KMS, vCenter Server must establish a trust connection with it, which needs to be done manually.

Download

Download a full VMware vSphere Virtual Machine Encryption Performance vSphere 6.5 Guide.

Rating: 5/5