Shobhan Lakkapragada – Director of Product ManagementStefan Tsonev – Director of Engineering
STO2451BU
#VMWorld #STO2451BU
Automating Disaster Recovery Operations in the SDDC with SRM, vRealize Automation, and NSX
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#STO2451BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1SRM + vRealize Automation (vRA) + NSX:
Solution Overview and Benefits
2 SRM + vRealize Automation Deep Dive
4 SRM + NSX Deep Dive
5 Q&A
#STO2451BU CONFIDENTIAL 3
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Site Recovery Manager
vSphere
vCenter ServerSite Recovery
ManagervCenter Server
Site Recovery
Manager
vSphere
Production Site Recovery Site
Servers ServersArray-based
replication
vSphere
Replication
• SRM is the industry-leading disaster recovery
automation solution for vSphere environments
• Centralized recovery plans for thousands of VMs
• Non-disruptive recovery testing
• Automated DR workflows
• Integrated with the VMware product stack
• Lowers the cost of DR management by 50% or more
• Eliminates complexity and risk of manual processes
• Enables fast and highly predictable RTOs
• Provides policy-driven DR control for any virtualized
app
#STO2451BU CONFIDENTIAL 4
VMworld 2017 Content: Not fo
r publication or distri
bution
SRM + vRealize Automation enables Self-Service, Policy-Based DR Protection For Apps
Capabilities
• Self-service DR provisioning using vRealize
Automation blueprints
• Automated protection mapping according to
pre-defined tiers
Architecture
Production Site
vSphere
Site Recovery Manager
Recovery Site
vSphere
Site Recovery Manager
Array-based
Replication
External Storage External Storage
vRealize Automation
• vRealize Orchestrator plugin for SRM
• Integration with vR Automation
• New APIs exposed for PowerCLI
integration
Benefits
• DR control delivered as a service to app tenants
• Quicker time to market for apps
• Reduced complexity for infrastructure admins
#STO2451BU CONFIDENTIAL 5
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX 6.3 Integration – Reduce OpEx and Accelerate Recovery
6
Implicit Mapping
DistributedSwitch
DistributedSwitch
SRM BSRM A
NSXUniversal Logical Switch
• SRM 6.5 supports NSX 6.3 cross-vCenter
logical switches
• Automatic mapping of networks
• Preserved network and security rules on
recovered VMs
Overview
• Reduce OpEx
• Decreased manual configurations post-
recovery
• Faster recovery time by 40%1 or more
Benefits
(1) VMware Performance Engineering – internal testing
Available
since
SRM 6.1
#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
SRM + vRealize Automation (vRA) – Key Benefits
• Protect vRA management components and production workloads
• Incorporate DR protection capability into provisioning process
• Recover all components & resume day 2 operations
8
DR protect vRA
management
components
Policy-based DR
protection through vRA
for workload VMs
1
2 3
Recover vRA and
workload VMs#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
SRM + vRA Deployment – vRA considerations
9
“Palo Alto” Site
vCenter
SRM
SRM Protected “Palo
Alto” Workload VMs
SRM Protected
“Wenatchee”
Workload VMs
vRA
vRA vSphere
Agent
“Wenatchee” Site
vCenter
SRM
vRA vSphere
AgentvCenters of both sites areManagedendpoints in VRA
• vRA is deployed on one site (does not matter which)
• Workload VM(s) are provisioned to a desired site
• Both sites are endpoints in vRA
• Reservations at both endpoints
• Data collection on ALL compute resources containing protected VM(s)
• SRM Placeholder VM(s) ignored by vRA
#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
SRM + vRA Deployment – SRM considerations
10
“Palo Alto” Site
vCenter
SRM
SRM Protected “Palo
Alto” Workload VMs
SRM Protected
“Wenatchee”
Workload VMs
vRA
vRA vSphere
Agent
“Wenatchee” Site
vCenter
SRM
vRA vSphere
AgentvCenters of both sites areManagedendpoints in VRA
• vRA managemet components deployed in dedicated SRM protection group / recovery plan
• Workload VMs added to SRM protection groups and recovery plans as in normal SRM deployment
• SRM creates corresponding placeholder at opposite site for each workload VM(s)
• SRM placeholder VM(s) ignored by vRA
#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
How does vRealize Automation deal with VMs being failed over?
• Configure two scripts in SRM Recovery Plan
1. Pre-failover script that stops vRA from monitoring workload VMs during failover process
2. Post-failover script that resumes monitoring after VMs are failed over
• More info: http://pubs.vmware.com/vrealize-suite-70/topic/com.vmware.ICbase/PDF/vrealize-suite-70-disaster-recovery-SRM-61.pdf
11#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
DR Protection for new workload VMs deployed through vRA
VMworld 2017 Content: Not fo
r publication or distri
bution
vRA Provisioning with Automated SRM Protection
13
Which pieces do what?
• End user facing portal
• Policy based control over placement (e.g. onto replicated storage)
• Extends vRA provisioning capabilities
• vRA Plug-in - Enables vRA to call vRO workflows to perform post
provisioning actions
• SRM Plug-in – Enables SRM protection automation (e.g. protect a VM)
• Provides fully automated disaster recovery of protected workloadsSRM
vRealize Automation
(vRA)
vRealize Orchestrator
(vRO)
SRM Plug-in
vRA Plug-in
#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Automated DR provisioning through vRA
Let’s automate protection of workloads as part of vRA provisioning
A few capabilities that will help!
• vRA extensibility using vRO workflows
• vRealize Orchestrator plugins for SRM and VR allow us …
– to replicate workloads with vSphere Replication eliminating the need for expensive storage arrays
– to automatically protect workloads with SRM!
– configure per-VM SRM recovery settings like:
• Recovery priority
• Command- call-outs
• Etc…
14#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
vRO workflow for vSphere Replication and Site Recovery Manager configuration
15#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Configuring Subscription in vRealize Automation
16#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Configuring Subscription conditions in vRealize Automation
17#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Workflow Selection in vRealize Automation
18#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
SRM + NSX Overview
Feature Definition
• Preserves VMs affinity to NSX stretched network(s) during Failover
• Preserved network and security rules on recovered VMs
• No user-provided Inventory Network mappings configuration is required
• Works out-of-the box (“auto-mappings”)
• Respects Inventory Mapper’s network mappings
• Supports Federated and non-Federated vCenter Server configurations
#STO2451BU CONFIDENTIAL 20
VMworld 2017 Content: Not fo
r publication or distri
bution
Solution Overview
Feature Definition (What Does it NOT do)
• Does not configure, monitor or protect NSX components
– Assumes the stretched network is already configured by the networking admin
– Assumes DFW rules and policies are replicated as needed by NSX
• Does not handle regular NSX-backed networks in any special way
– Provides auto-mapping for NSX Universal Logical Switches only
• Does not provide post-recovery NSX management
#STO2451BU CONFIDENTIAL 21
VMworld 2017 Content: Not fo
r publication or distri
bution
Requirements and Limitations
• Requires NSX 6.3 and SRM 6.5
• NSX Stretched Network Provisioning/Configuration
• Performed using the NSX vSphere UI plugin, or can be scripted
• Storage Policy Protection Groups
• Requires array-based replication only
• Supports Cross-vCenter vMotion with stretched storage configuration
• For regular Virtual Machine Protection Groups
• Auto-mapping integration capability is not supported
• All NSX networks treated as regular network configurations
#STO2451BU CONFIDENTIAL 22
Solution Prerequisites
VMworld 2017 Content: Not fo
r publication or distri
bution
Theory of Operation: Discovering Universal Wires
• NSX DeviceTopology follows the vSphere VDS Architecture
• Cluster VDS (NSX Logical Switch) Distributed Virtual Portgroup vNIC
VMworld 2017 Content: Not fo
r publication or distri
bution
Theory of Operation: Discovering Universal Wires (cont.)
• Use distinct naming conventions (“vxw” prefix)
• NSX Network Naming Scheme
• dvs-29 DVS MoId
• universalwire-1 Logical Switch ID
• 10000 Logical Switch Segment ID (= VXLAN Network ID)
• Universal Wire
• Spanned between 2+ Logical Switches
• Logical Switches have the same Logical Switch ID on both sites
PowerCLI> Get-VDPortgroup -Name vxw* | ft -au
Name NumPorts PortBinding
---- ------- -----------
vxw-vmknicPg-dvs-29-0-dc48a115-c545-4d95-9fa2-69ff90802813 8 Static
vxw-dvs-29-universalwire-1-sid-100000-primary-logical-switch-07-08 8 Static
#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Storage Policy-Based Protection Groups
#STO2451BU CONFIDENTIAL 25
Profile Driven
Protection Group
• Policy Driven Protection
• New Style Protection Group leveraging storage profiles
• High level of automation compared to traditional protection groups
• Policy based approach reduces OpEx
• Simpler integration of VM provisioning, migration, and decommissioning
Storage PolicyVMworld 2017 Content: N
ot for publicatio
n or distribution
Theory of Operation: Protection• Device-based (vs. Inventory Mapping based) mapping concept
• Extends the existing vNIC device protection (Protected Site)
• Detects that vNIC is backed by a stretched NSX network
• Records the Logical Switch ID into the VM’s placeholder file (.vmx)
• The .vmx file is replicated by the underlying array-based replication
#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Test Recovery Workflow
• Does not preserve affinity to stretched network by default
• Recovers to an ad-hoc isolated Test Bubble Network
• Use Recovery Plan Test Network mappings to override this behavior
• Map (all) universal wires to themselves
• Global Test Network Mapping
• NOT supported for auto-mapped networks
o An Inventory Mapping UI limitation
o Supported at the VMODL level
#STO2451BU CONFIDENTIAL 35
VMworld 2017 Content: Not fo
r publication or distri
bution
Planned Migration and Disaster Recovery Workflows
• Planned Migration and Disaster Recovery
• Resolves network device backing to reciprocal NSX Distributed Virtual Portgroup
• Unresolved networks are fixed/resolved using Placeholder Network Mappings
• Live Migration with xvMotion on Stretched Storage
• NSX integration is fully supported on this topology
• The target NSX network is to be resolved prior to starting xvMotion
• NSX Distributed Firewall, Routing and Rules
• Remain in effect as long as they expressed in MAC and IP address terms
• Container-based rules (if any) might need to be updated after Failover
• Virtual Machine IP customization not required
#STO2451BU CONFIDENTIAL 36
VMworld 2017 Content: Not fo
r publication or distri
bution
SRM & NSX: Delivering Simplification and Value
37
DMZ - Web Logical Switch172.16.10.0/24
Finance
HR
SG-FIN-WEB
SG-HR-WEB
FIN-WEB-01
FIN-WEB-02
HR-WEB-01
HR-WEB-02
ICMP
Source Destination Service Action Apply To
AnySG-FIN-WEB
SG-HR-WEBHTTPS Allow
SG-FIN-WEB
SG-HR-WEB
AnySG-FIN-WEB
SG-HR-WEBAny Block
SG-FIN-WEB
SG-HR-WEB
SG-FIN-WEB SG-FIN-WEB ICMP Allow SG-FIN-WEB
SG-FIN-WEB SG-FIN-WEB Any Block SG-FIN-WEB
SG-HR-WEB SG-HR-WEB ICMP Allow SG-HR-WEB
SG-HR-WEB SG-HR-WEB Any Block SG-HR-WEB
SG-FIN-WEB SG-HR-WEB ICMP AllowSG-FIN-WEB
SG-HR-WEB
SG-FIN-WEB SG-HR-WEB Any BlockSG-FIN-WEB
SG-HR-WEB
ICMP
ICMP
HTTPS
HTTPS
#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
App Logical Switch172.16.20.0/24
DMZ - Web Logical Switch172.16.10.0/24
.1
.1
DB Logical Switch172.16.30.0/24
Finance
HR
Finance HR
HRFinance
.1
COMMON MGMT
Logical Switch10.1.1.0/24
COMMON SVCS
Logical Switch10.1.2.0/24
SYSLOG
SRV
SNMP
SRV
STATS
SRV
NTP
SRV
DNS
SRV
AAA
SRV
DLR
38
Access to shared services must be protected for all Tenants and Tiers
SG-FIN-WEB
SG-HR-WEB
SG-FIN-APP
SG-FIN-DB
SG-HR-APP
SG-HR-DB
SG-SHARED-SERVICES
#STO2451BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution