sto2451bu automating disaster recovery … lakkapragada –director of product management stefan...

Shobhan Lakkapragada – Director of Product ManagementStefan Tsonev – Director of Engineering

STO2451BU

#VMWorld #STO2451BU

Automating Disaster Recovery Operations in the SDDC with SRM, vRealize Automation, and NSX

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

#STO2451BU CONFIDENTIAL 2



bution

Agenda

1SRM + vRealize Automation (vRA) + NSX:

Solution Overview and Benefits

2 SRM + vRealize Automation Deep Dive

4 SRM + NSX Deep Dive

5 Q&A




bution

VMware Site Recovery Manager

vSphere

vCenter ServerSite Recovery

ManagervCenter Server

Site Recovery

Manager

vSphere

Production Site Recovery Site

Servers ServersArray-based

replication

vSphere

Replication

• SRM is the industry-leading disaster recovery

automation solution for vSphere environments

• Centralized recovery plans for thousands of VMs

• Non-disruptive recovery testing

• Automated DR workflows

• Integrated with the VMware product stack

• Lowers the cost of DR management by 50% or more

• Eliminates complexity and risk of manual processes

• Enables fast and highly predictable RTOs

• Provides policy-driven DR control for any virtualized

app




bution

SRM + vRealize Automation enables Self-Service, Policy-Based DR Protection For Apps

Capabilities

• Self-service DR provisioning using vRealize

Automation blueprints

• Automated protection mapping according to

pre-defined tiers

Architecture

Production Site

vSphere

Site Recovery Manager

Recovery Site

vSphere

Site Recovery Manager

Array-based

Replication

External Storage External Storage

vRealize Automation

• vRealize Orchestrator plugin for SRM

• Integration with vR Automation

• New APIs exposed for PowerCLI

integration

Benefits

• DR control delivered as a service to app tenants

• Quicker time to market for apps

• Reduced complexity for infrastructure admins




bution

NSX 6.3 Integration – Reduce OpEx and Accelerate Recovery

6

Implicit Mapping

DistributedSwitch

DistributedSwitch

SRM BSRM A

NSXUniversal Logical Switch

• SRM 6.5 supports NSX 6.3 cross-vCenter

logical switches

• Automatic mapping of networks

• Preserved network and security rules on

recovered VMs

Overview

• Reduce OpEx

• Decreased manual configurations post-

recovery

• Faster recovery time by 40%1 or more

Benefits

(1) VMware Performance Engineering – internal testing

Available

since

SRM 6.1

#STO2451BU CONFIDENTIAL



bution

SRM + vRealize Automation Deep Dive



bution

SRM + vRealize Automation (vRA) – Key Benefits

• Protect vRA management components and production workloads

• Incorporate DR protection capability into provisioning process

• Recover all components & resume day 2 operations

8

DR protect vRA

management

components

Policy-based DR

protection through vRA

for workload VMs

1

2 3

Recover vRA and

workload VMs#STO2451BU CONFIDENTIAL



bution

SRM + vRA Deployment – vRA considerations

9

“Palo Alto” Site

vCenter

SRM

SRM Protected “Palo

Alto” Workload VMs

SRM Protected

“Wenatchee”

Workload VMs

vRA

vRA vSphere

Agent

“Wenatchee” Site

vCenter

SRM

vRA vSphere

AgentvCenters of both sites areManagedendpoints in VRA

• vRA is deployed on one site (does not matter which)

• Workload VM(s) are provisioned to a desired site

• Both sites are endpoints in vRA

• Reservations at both endpoints

• Data collection on ALL compute resources containing protected VM(s)

• SRM Placeholder VM(s) ignored by vRA




bution

SRM + vRA Deployment – SRM considerations

10

“Palo Alto” Site

vCenter

SRM

SRM Protected “Palo

Alto” Workload VMs

SRM Protected

“Wenatchee”

Workload VMs

vRA

vRA vSphere

Agent

“Wenatchee” Site

vCenter

SRM

vRA vSphere

AgentvCenters of both sites areManagedendpoints in VRA

• vRA managemet components deployed in dedicated SRM protection group / recovery plan

• Workload VMs added to SRM protection groups and recovery plans as in normal SRM deployment

• SRM creates corresponding placeholder at opposite site for each workload VM(s)

• SRM placeholder VM(s) ignored by vRA




bution

How does vRealize Automation deal with VMs being failed over?

• Configure two scripts in SRM Recovery Plan

1. Pre-failover script that stops vRA from monitoring workload VMs during failover process

2. Post-failover script that resumes monitoring after VMs are failed over

• More info: http://pubs.vmware.com/vrealize-suite-70/topic/com.vmware.ICbase/PDF/vrealize-suite-70-disaster-recovery-SRM-61.pdf

11#STO2451BU CONFIDENTIAL



bution

http://pubs.vmware.com/vrealize-suite-70/topic/com.vmware.ICbase/PDF/vrealize-suite-70-disaster-recovery-SRM-61.pdf

DR Protection for new workload VMs deployed through vRA



bution

vRA Provisioning with Automated SRM Protection

13

Which pieces do what?

• End user facing portal

• Policy based control over placement (e.g. onto replicated storage)

• Extends vRA provisioning capabilities

• vRA Plug-in - Enables vRA to call vRO workflows to perform post

provisioning actions

• SRM Plug-in – Enables SRM protection automation (e.g. protect a VM)

• Provides fully automated disaster recovery of protected workloadsSRM

vRealize Automation

(vRA)

vRealize Orchestrator

(vRO)

SRM Plug-in

vRA Plug-in




bution

Automated DR provisioning through vRA

Let’s automate protection of workloads as part of vRA provisioning

A few capabilities that will help!

• vRA extensibility using vRO workflows

• vRealize Orchestrator plugins for SRM and VR allow us …

– to replicate workloads with vSphere Replication eliminating the need for expensive storage arrays

– to automatically protect workloads with SRM!

– configure per-VM SRM recovery settings like:

• Recovery priority

• Command- call-outs

• Etc…




bution

vRO workflow for vSphere Replication and Site Recovery Manager configuration




bution

Configuring Subscription in vRealize Automation




bution

Configuring Subscription conditions in vRealize Automation




bution

Workflow Selection in vRealize Automation




bution

SRM and NSX



bution

SRM + NSX Overview

Feature Definition

• Preserves VMs affinity to NSX stretched network(s) during Failover

• Preserved network and security rules on recovered VMs

• No user-provided Inventory Network mappings configuration is required

• Works out-of-the box (“auto-mappings”)

• Respects Inventory Mapper’s network mappings

• Supports Federated and non-Federated vCenter Server configurations




bution

Solution Overview

Feature Definition (What Does it NOT do)

• Does not configure, monitor or protect NSX components

– Assumes the stretched network is already configured by the networking admin

– Assumes DFW rules and policies are replicated as needed by NSX

• Does not handle regular NSX-backed networks in any special way

– Provides auto-mapping for NSX Universal Logical Switches only

• Does not provide post-recovery NSX management




bution

Requirements and Limitations

• Requires NSX 6.3 and SRM 6.5

• NSX Stretched Network Provisioning/Configuration

• Performed using the NSX vSphere UI plugin, or can be scripted

• Storage Policy Protection Groups

• Requires array-based replication only

• Supports Cross-vCenter vMotion with stretched storage configuration

• For regular Virtual Machine Protection Groups

• Auto-mapping integration capability is not supported

• All NSX networks treated as regular network configurations


Solution Prerequisites



bution

Theory of Operation: Discovering Universal Wires

• NSX DeviceTopology follows the vSphere VDS Architecture

• Cluster VDS (NSX Logical Switch) Distributed Virtual Portgroup vNIC



bution

Theory of Operation: Discovering Universal Wires (cont.)

• Use distinct naming conventions (“vxw” prefix)

• NSX Network Naming Scheme

• dvs-29 DVS MoId

• universalwire-1 Logical Switch ID

• 10000 Logical Switch Segment ID (= VXLAN Network ID)

• Universal Wire

• Spanned between 2+ Logical Switches

• Logical Switches have the same Logical Switch ID on both sites

PowerCLI> Get-VDPortgroup -Name vxw* | ft -au

Name NumPorts PortBinding

---- ------- -----------

vxw-vmknicPg-dvs-29-0-dc48a115-c545-4d95-9fa2-69ff90802813 8 Static

vxw-dvs-29-universalwire-1-sid-100000-primary-logical-switch-07-08 8 Static




bution

Storage Policy-Based Protection Groups


Profile Driven

Protection Group

• Policy Driven Protection

• New Style Protection Group leveraging storage profiles

• High level of automation compared to traditional protection groups

• Policy based approach reduces OpEx

• Simpler integration of VM provisioning, migration, and decommissioning

Storage PolicyVMworld 2017 Content: N

ot for publicatio

n or distribution




bution

Theory of Operation: Protection• Device-based (vs. Inventory Mapping based) mapping concept

• Extends the existing vNIC device protection (Protected Site)

• Detects that vNIC is backed by a stretched NSX network

• Records the Logical Switch ID into the VM’s placeholder file (.vmx)

• The .vmx file is replicated by the underlying array-based replication




bution




bution

Test Recovery Workflow

• Does not preserve affinity to stretched network by default

• Recovers to an ad-hoc isolated Test Bubble Network

• Use Recovery Plan Test Network mappings to override this behavior

• Map (all) universal wires to themselves

• Global Test Network Mapping

• NOT supported for auto-mapped networks

o An Inventory Mapping UI limitation

o Supported at the VMODL level




bution

Planned Migration and Disaster Recovery Workflows

• Planned Migration and Disaster Recovery

• Resolves network device backing to reciprocal NSX Distributed Virtual Portgroup

• Unresolved networks are fixed/resolved using Placeholder Network Mappings

• Live Migration with xvMotion on Stretched Storage

• NSX integration is fully supported on this topology

• The target NSX network is to be resolved prior to starting xvMotion

• NSX Distributed Firewall, Routing and Rules

• Remain in effect as long as they expressed in MAC and IP address terms

• Container-based rules (if any) might need to be updated after Failover

• Virtual Machine IP customization not required




bution

SRM & NSX: Delivering Simplification and Value

37

DMZ - Web Logical Switch172.16.10.0/24

Finance

HR

SG-FIN-WEB

SG-HR-WEB

FIN-WEB-01

FIN-WEB-02

HR-WEB-01

HR-WEB-02

ICMP

Source Destination Service Action Apply To

AnySG-FIN-WEB

SG-HR-WEBHTTPS Allow

SG-FIN-WEB

SG-HR-WEB

AnySG-FIN-WEB

SG-HR-WEBAny Block

SG-FIN-WEB

SG-HR-WEB

SG-FIN-WEB SG-FIN-WEB ICMP Allow SG-FIN-WEB

SG-FIN-WEB SG-FIN-WEB Any Block SG-FIN-WEB

SG-HR-WEB SG-HR-WEB ICMP Allow SG-HR-WEB

SG-HR-WEB SG-HR-WEB Any Block SG-HR-WEB

SG-FIN-WEB SG-HR-WEB ICMP AllowSG-FIN-WEB

SG-HR-WEB

SG-FIN-WEB SG-HR-WEB Any BlockSG-FIN-WEB

SG-HR-WEB

ICMP

ICMP

HTTPS

HTTPS




bution

App Logical Switch172.16.20.0/24

DMZ - Web Logical Switch172.16.10.0/24

.1

.1

DB Logical Switch172.16.30.0/24

Finance

HR

Finance HR

HRFinance

.1

COMMON MGMT

Logical Switch10.1.1.0/24

COMMON SVCS

Logical Switch10.1.2.0/24

SYSLOG

SRV

SNMP

SRV

STATS

SRV

NTP

SRV

DNS

SRV

AAA

SRV

DLR

38

Access to shared services must be protected for all Tenants and Tiers

SG-FIN-WEB

SG-HR-WEB

SG-FIN-APP

SG-FIN-DB

SG-HR-APP

SG-HR-DB

SG-SHARED-SERVICES




bution

Q&A



bution



bution

sto2451bu automating disaster recovery … lakkapragada –director of product management stefan...

Documents