How to keep your virtual machine estate under control
Different vendors can simplify admin, add security and reduce sprawl
By Robert L. Scheier | Computerworld US | Published: 15:30, 28 March 2012
Virtualisation cuts hardware, power and real estate costs by combining multiple servers, networks and storage arrays into virtual pools. But for users like Pat O'Day, chief technology officer at hosting and managed services provider BlueLock, managing those resource pools means wrestling with multiple applications.
"There's a backup console, the SAN has a console, antivirus has a console, everything has its own console," says O'Day. Buying all of those applications and training staffers to use them is costly and makes it hard to tune a virtualised environment to meet changing needs.
Rich Phillips wishes he could instantly create a virtual machine and provide everything it needs, such as load balancers, firewalls and database connections, and then automatically register it with his configuration management database. But the tools he's seen that are designed to do that are either too expensive or "not fully baked," says Phillips, principal network engineer at Apollo Group.
Apollo uses NetScout's nGenius Performance Manager, Service Delivery Manager, InfiniStream Console, 9900 Probes and Virtual Agents to monitor the performance of its network. Phillips says he is pleased with the tools but wishes they could also monitor and troubleshoot the servers and storage arrays that can slow application performance.
Hurdles to the single console
Vendors are working to develop tools that enable users to manage entire systems through a single console, or a "single pane of glass", but for now users must choose among products that manage only parts of their environments or focus on specific problems, such as security, backup or the sprawl of unused virtual machines.
To use a "single pane of glass" product like that, some organisations would have to combine and retrain separate teams that now manage servers, networks and storage. Moreover, customers who have invested in management frameworks from bigger companies like IBM, HP, CA and BMC would be reluctant to replace them with new systems.
Many specialised vendors realise this and now offer plugins that feed data to higher-level management tools. Some of these products work either on their own or as part of a broader platform. Quest's Cloud Automation Platform, for example, integrates with existing management tools to provide cloud-based management of IT services, as well as self-service and dynamic capacity management.
Even if obsolete or unneeded VMs aren't powered up, they take up expensive disk space. If they are running, they use computing cycles and network bandwidth and can cause performance or security problems.
Lifecycle management systems find unused virtual machines by tracking the resources they're using or their scheduled expiration dates. They may also support templates that control the amounts of CPU, memory, storage and network bandwidth available to different types of VMs, the backup or failover policies associated with them, or their life spans.
Ted Waller, Internet operations engineer at Cvent, a vendor of online event management software, says he uses V-Commander virtual machine management software from Embotics because with it, he can require users to set expiration dates for the VMs they request. Like many other tools, V-Commander can also send warning emails to owners of virtual machines that are due to expire, among other capabilities.
Tools with similar functionality include BMC Software's BMC Cloud Lifecycle Management software, VKernel's Optimisation Pack, VMware's vCenter CapacityIQ, Abiquo's Abiquo 1.7 and CommVault System's Simpana 9.
Administrators can control VM sprawl by making users pay for the virtual resources they use (chargeback) or showing them the costs of the assets they use (showback). Showback systems are easier to implement than chargeback systems; they also help internal IT shops prove that they can match the prices of outside providers.
The chargeback tool in VMware's vCenter can map costs to business units, cost centres or external customers. BMC Capacity Management software can show costs based on either preset configurations or what the VM actually uses. CA Technologies offers showback and chargeback functionality in all of its virtualisation automation tools. Products with similar features include Hyper9's virtualisation management software and VKernel's Chargeback.
Security and compliance
As virtualisation becomes more common, security and regulatory compliance become more critical. But dealing with those concerns isn't easy, because traffic flowing among virtual machines within a host is harder to track than traffic among physical servers passing over the corporate network, says Ken Owens, technology vice president for security and virtualisation at Savvis, a managed services and hosting provider.
Some data might have to be encrypted, or it might only be allowed to run on network segments with certain security configurations. Waller would like to tweak his network configurations using V-Commander rather than VMware, whose access controls he calls "clunky". Owens says Savvis chose Vtrust security software from Reflex Systems because it blocks threats and can monitor traffic within a virtualised environment and ensure that VMs have the proper security configurations.
VMware's vShield products provide a single framework to secure virtual servers, networks, data and endpoints, and its vCloud Director creates "virtual data centers" that keep users' or customers' data and applications separate. That's important for service providers that need to protect customer data in multitenant environments.
HyTrust's Appliance provides automated administrative access control, "hardens" the hypervisors that manage virtual machines, and ensures that VMs are configured correctly. Enterasys Data Center Manager identifies virtual machines by their MAC (media access control) addresses when they enter the network and applies the appropriate security policies. Symantec Critical System Protection tool offers a single management, policy and reporting framework to control (among other things) network traffic, device access, configuration and system lockdowns and administrator access control.
Products that identify VMs that "drift" from desired states include CA Virtual Configuration, BMC BladeLogic Server Automation Suite and VMware vCenter Configuration Manager.