configure and deploy the private cloud infrastructure student manual.pdf

7/27/2019 Configure and Deploy the Private Cloud Infrastructure Student Manual.pdf

1/57

Published: 8/9/2012

1

2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S.

and/or other countries. The information herein is for informational purposes only and represents the current view of Microsof t Corporation as of the date of this presentation. Because Microsoft must respond to changing

market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO

WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Jump Start Course

Creating and Managing a Private Cloud with System Center 2012

Welcome back to the private cloud Jump Start; Creating and Managing a Private Cloud with System Center2012. Im joined again with Kenon in this next module as we go and we look at the infrastructure componentsand how we really optimize these for the private cloud.


2/57

Published: 8/9/2012

2







So looking at flow for the day weve covered the introduction, weve explained to you the basic concepts ofSystem Center 2012 and how it fits in with the vision for the Microsoft private cloud. We then have a moduletalking about how we actually configure the hardware, the raw hardware components to prepare them withSystem Center 2012 so looking at things such as storage, the networking and the computation power. In thisnext module were going to think about how do we then take these raw resources and really optimize them forthe private cloud, so Kenon, why dont you talk a little bit more about what were going to cover in this module.

Kenon: Great, so like I said we built this private cloud infrastructure with all the components and now what weregoing to do is pull it all together and really create your private cloud that you can then use for deployingapplications, delegating out to everybody and really this is the foundation for what you need before you canstart doing all the things you need to do in private cloud.


3/57

Published: 8/9/2012

3







So what were going to cover today in our session is four things basically. were going to cover the abstractionof taking these private cloud resources and abstracting them into being a be the private clouds and build theprivate clouds out of it, then were going to talk about the heterogeneity support or basically support forheterogeneous Hypervisors. We want to make sure that these cloud resources are accessed by the correctpeople and they only have access to the correct resources so well talk about access and then control what youdeploy on the private cloud. So those are the four things were going to talk about today and lets get started.


4/57

Published: 8/9/2012

4







All right so weve talked about this section, actually youve seen this a couple of times in both module one and a little bit in moduletwo but were going to focus on again configure and deploy but focusing on just at the private cloud resources and were focusing onthe infrastructure management here.

4


5/57

Published: 8/9/2012

5







Again you want to do this because you want to make sure that your infrastructure provides support for all thedifferent types of hypervisors you have out there, you want to be able to automate and build this platform forthis self service infrastructure and do it on your terms with whatever you need and however you need to do itto get those operational savings.

5


6/57

Published: 8/9/2012

6







All right so with module 2 we talked about how we took this diverse infrastructure and we were able to now dedicate our sharedresources and pull them to create this logical and standardized units. Now once we have those units were going to talk about all therest of the things were going to do with it today. Cloud abstraction, then also delegating pieces of that cloud to individua l users andgroups that need to access it and beyond that deploying these standardized set of services that you as an IT pro have control overwhere you dont give that control away and you protect your underlying environment but you give the self service users the flexibilitythey need to deploy the applications they want.

6


7/57

Published: 8/9/2012

7







All right so when youre building the private cloud and taking this bunch of infrastructure components andconverting it to a private cloud infrastructure weve got to worry about abstraction. Abstracting that underlyingphysical layer and pulling it up into something that we can now make basically compute resources and logicalunits that we can assign to different clouds. And we do that by supporting multiple different types ofhypervisors, whether its your VMWare, your Citrix and your Microsoft Hyper V obviously, pulling those alltogether using them to create these cloud abstractions. Once weve managed and created these private cloudswe want to ensure that the right people have access to these clouds we dont want any one user to monopolizeall the cloud unless we know that thats okay, we give them the permission to do that. And then lastly we want

to have control over what they deploy on these clouds.

Symon: Now one question I get asked a lot is about we talk about breaking this down into multiple individualclouds within one large private cloud what would be an example of why a customer would want to create lots ofsmall individual clouds out from their large private cloud?

Kenon: So I have a big pool of resources and that pool of resources has to support my finance organization, myHR, my sales, my IT regular just infrastructure resources and I may want to take instead of having everybodyshare all of my resources I may want to split separate components and have just the finance department use a

7


8/57

Published: 8/9/2012

#







pool of resources and give them a cloud for just them to use. I may want to have my sales and my HR share the sameresources but I want to separate them and create some logical separation between them and I can use the cloudconcept to do that.

Symon: So essentially give them more granular control from this large cloud into individual smaller clouds.

Kenon: Exactly and I have lines of businesses and they may pay for a certain amount of resources to me if I want toprovide some type of charge back way, this would allow me to say, okay, youve paid for this amount of resources, letme block that off and dedicate it to you if I need to. The other thing is, one of the great things about cloud is its veryexpandable, its fluid and you can add and subtract resources on the fly dynamically and well talk a lot about thatduring the rest of the session today.


9/57

Published: 8/9/2012

8







All right, so the first thing we want to do is we want to build that private cloud we want to do it our way andwell do this through abstraction of the resources.

8


10/57

Published: 8/9/2012

9







So taking that logical and standardized resources and creating this cloud abstraction, right here what were really focusing on istaking those

9


11/57

Published: 8/9/2012

10







Physical resources and basically building it into a logical group. And ifyou look at this slide right here, what were doing is were takingagain the clouds that we have for specific needs, they can be done formany different reasons, I already talked about maybe I do it bydepartment, the other thing is maybe I do it by location, I have a

couple of data centers across the world and maybe I want to have justclouds for each of those individual data centers to make it easier anddelegate administration at the cloud level to those particular users. Ican delegate it also as far as role type, maybe I have a developmentcloud, I have a production cloud so I can create multiple differenttypes of clouds all depending on whats actually important to my

10


12/57

Published: 8/9/2012

#







business and every business is going to have a different need and theyregoing to be organized differently and so by being flexible you can choosehow you want to organize this cloud to fit your business needs.

So I created clouds for those specific needs I can view whats beendeployed within the cloud so view it as far as the entire set of resources or Ican do it at an individual cloud level. This allows me to say okay in mydevelopment environment these are the different resources I have and I cansee everything if Im logged in as an administrator or maybe I want to

delegate particular administration to particular users, they will only be ableto see the clouds that they have access to and they will only be able to seethe services that they have access to in there.

And then lastly because the cloud is just this logical representation ofresources I can overprovision and I can provision across multiple differentcloud resources so well show you all about what this means but really it

means that I can create a cloud and I can assign way more resources to thatcloud then I have physical resources to support it and over time I can addmore and more resources to fulfill that need and it will allow me to basicallyset up for what they need maybe in the future but deliver what they needto use now. So that elastic capability of cloud is built in to how I can


13/57

Published: 8/9/2012

#







provision out this cloud environments.

/ /


14/57

Published: 8/9/2012

11







So when I create a cloud theres a few things that I have to thinkabout, one of them is what are the physical hypervisor resources thatIm going to use well Im going to use things like my servers whethertheyre hyper V servers or VMWare servers or Citrix servers Ive got totell them which physical hypervisors its going to use, which host

within the host groups its going to be using for that cloud. That way Ican aggregate different pools of resources so I may have VMWareservers and I may stick them in their own host group, I may haveHyper V servers, I may stick them in their own host group or I mayhave them combined together, either way it doesnt matter, I can justchoose by clicking the check box on whichever host resources I want

11

P bli h d 8/9/2012


15/57

Published: 8/9/2012

#







to use for this particular cloud. And if I use it for one cloud that doesntpreclude me from using it for another cloud I can have multiple cloudsshare the exact same physical pool of resources.

Symon: So what would be the benefit of then having two separate clouds iftheyre sharing the same group of resources?

Kenon: Because later on maybe Ill want to split them, later on maybe Illbuy just a set of servers that I want to dedicate to a different one of thoseclouds I dont want to lock myself into something I want to be able tospread out and expand as my business needs change and by allowing themto share resources initially and then I can pull them out later, it doesntpreclude me from doign that.

Symon: It gives you a lot of flexibility right?

Kenon: Exactly and also we talked about in module 2 about these logical

P bli h d 8/9/2012i f


16/57

Published: 8/9/2012

#







networks and within the cloud I choose which of those logical networks areavailable to my clouds that I assign it so if its a development cloud Im notgoing to give it production network resources, Ill just give it the

development one. And so I can choose when I create these clouds whichnetwork resources they have, the other thing is I can choose what storageis available to this cloud. So when I deploy those virtual machines, we againtalked in module 2 about the fabric and the infrastructure components thatthe different pieces of storage that I can classify them and while I canassign those classified storage to individual clouds and if there are

resources that I can have access to that cloud theyll be able to show up inthere. and this is a great thing in that I have different host groups that Iveassigned and if I didnt assign at least in classified storage to those hostgroups then I wouldnt see them in this window so were only showing thestorage that the host group that weve assigned to can actually see. Werenot going to show you every single classification out there because someof them may not be accessible by the underlying storage.

P blished 8/9/2012Mi f J S C


17/57

Published: 8/9/2012

12







So I add those things as well as you know the library and the capacity and this allows me to set up how much ofthe resources I can access by this cloud. So I could have two different clouds share the same physical set ofresources but I can put limits on maybe how many virtual machines they create or how much storage they canuse within that pool of resources because maybe Im a small organization and I have a blade chassis and I filledit all up with servers that Im going to use for virtualization I can create one big host group, have all thoseservers in there and say okay, half of the compute resources are going to go to this guy and half are going togo to that guy but theyre all using the same pool of resources so whoever needs the resource when theyreavailable will be able to take them and use them.

So I could place limits around the physical resources that are consumed and I could dynamically adjust this, youknow over time maybe I set up for 400 virtual CPUs like in the script right here but over time the project thatwas being deployed in this cloud grows and grows and needs more cloud resources well I can just provisionmore, I can give them more capability or capacity to run more of those resources without having to stopeverything, shut everything down or anything like that.

Symon: So no service downtime here, you can just keep adding resources, throwing it into the cloud and yourexisting components stay up and running.

12

Published: 8/9/2012Mi ft J St t C


18/57

Published: 8/9/2012

#







Kenon: Exactly and if they come up and they start deploying resources then when they get to a certain point if theycant deploy anymore they can just use service manager or something like that to create a request for hey, I need moreresources and then once they get those resources we can then automatically through say an Orchestrator run book orsomething provision out more or give them higher level capacity or something like that.

Symon: So what youre saying is if Im a customer and Im requesting lets say 50 new VMs that require 100 GBs of RAMand my cloud capacity only has capacity for 25 even though theyre not going to immediately be able to fulfill thatrequest we could still send a ticket up to the help desk, through service manager, the help desk can say, hey, this groupor customer needs these resources and then they can go dynamically provision it, resolve the ticket.

Kenon: Exactly or they may have given them 1000 gigs of RAM that they needed and I only have 150 provisioned I canbe monitoring how much is being used and as they start deploying more and more servers as I find Im coming closerto that threshold and Im going to run out of resources so what is the next thing Ive got to do, well Ive got to provisionmore servers out there and I can be proactive and expand my cloud as the resources are being used instead of buyingfor peak I can buy for whats being used right now.

Published: 8/9/2012Mi ft J St t C


19/57

Published: 8/9/2012

13







And then lastly I can choose the types of VMs that this control that can be deployed in this cloud if it is a mixedhypervisor environment maybe I only want them deployed to hyper V or to VMWare servers, well I can choosethat or I can choose both and I can also create capabilities profiles, now these capability profiles allow me tocreate VMs definitions of what size VMs that they can create. So I may have a silver VM packet which says oneor two virtual CPUs for up to 2 gigs of RAM and maybe a 40 gig hard drive. Then I may have a gold capabilityprofile that says these VMS can be up to 4 virtual CPUs, up to 9 gigs of RAM and 120 gig virtual hard drive. Anddepending on the environment and maybe you know who bought this cloud or how I created this cloud I canassign these different capability profiles in there so that these individual set deploy applications will get what

they paid for so I have a lot of control now over what gets deployed. So I can set constraints and limits aroundwhat that VM is going to look like in capability profiles. And by attaching this to cloud I can control what size ortype of VMs these people can create. Now, one of the things that were talking about clouds here, were goingto talk a little bit later on in this session about how do I delegate access so the cloud level, that atomic unit is

just one place where I can set these limits Ill have two other places where I can set quota and well talk aboutthat too in the future.

13

Published: 8/9/2012Microsoft Jump Start Course


20/57

Published: 8/9/2012

14







So lets show you how that looks like and how to create a cloud, so Im going to flip over to my demo now.

Symon: And what components are you going to be showing in the demo?

Kenon: In this demo were going to be talking about the VMM components of System Center 2012 and if youguys were watching module 2 you can see now that extra node that we added at the end of the session hasbeen added into the cluster and its working and really fine with that. But lets flip over to these clouds and

services and what you can see here is that I have within VMM 2012 this new thing called clouds and insideclouds I have multiple clouds already created, one is administration cloud, a customer demographics, and ademographics cloud. And each of these clouds are separated by what types of resources they can access as wellas what actually is allowed to be deployed upon them. So if I wanted to create a brand new cloud its as easy asclicking create cloud. And well call this one Jump Start because thats where we are today and inside jump startwell go and choose which physical resources we want to use, well I want to pick just the admin servers thoseare some servers that I have specifically earmarked just for this resource today and as you can see we havehosts groups and host groups within host groups so I can choose whatever I want, if I want to pick these otherinfrastructure host group I can do that as well but Im just going to pick the admin servers. The other thing is

14



21/57

Published: 8/9/2012

#







these are the different network environments that I want to use and I can choose either development or Contoso orboth and give them access to those logical networks. Now when they deploy a machine it will just be serviced up aswhich network do you want to deploy to, development, Contoso, you pick easy to deploy. Any of the load balancers Ihave, I want to choose one of them, I can pick the storage that I want to be used and Im only going to pick thesecondary storage, I dont want these people in this environment to deploy to the primary storage, my high end storage

I just want to pick that quick and easy storage for them to use. If I wanted to use any specific library information I canadd that here, or I can do that later on. Heres like I said the first place that I could specify capacity and for these guyswhat Im going to do is create the ability for them to create up to 50 virtual CPUs well, lets make it fun, lets make it 250virtual CPUs but theyre only going to be able to create up to, lets do 75 virtual machines. So they can deploy anycombination of virtual CPUs up to 250 or any number of virtual machine up to 75 but they wont be able to do both so Ihave the ability to set limit capacity that way. For capability profiles were going to give them the ability to deploy, theywere just hyper v servers there so well pick Hyper V and then hit go and it will create that cloud for me. So I have thiscloud created, its called jump start it has all the different resources that I created into it, but theres nothing in thereobviously because I just created it so I dont have any services or anything deployed inside of there.



22/57

Published: 8/9/2012

15







What happens if I want to do things like add more servers to this cloud, well lets talk about what we do withmulti-hypervisor support in this next section here. So flipping back to the session were going to talk aboutnow how do we leverage our heterogeneous environment, we had some poll questions earlier and theytalked that a lot of our customers are running multiple hypervisors within their environment, within theirinfrastructure, they have a lot of Microsoft, they have a lot of VMWare but they have a lot of customers thatare running both and

Symon: And Citrix as well, lets not forget

Kenon: Thats true, Citrix is very popular as well and we have customers running all three of these thingstogether and when you have these hypervisors deployed you want a central way of managing them so that itgives you a common use across all the different hypervisors, once theyre attached into VMM I can deployvirtual machines to any one of those hypervisors and it doesnt matter what it really looks like is this.

15



23/57

Published: 8/9/2012

16







We wanted to within System Center create a consistency with how we manage these multiple hypervisorenvironments by having a consistent look and feel when we deploy applications or services to these hypervisorsit will just deploy the right virtual machine to the right hypervisor, its not going to make you have to dosomething different if its VMWare as opposed to Citrix or as opposed to Microsoft.

Symon: So are you saying that there are no different wizards regardless of you know what youre doing?

Kenon: The wizards are the same, the things you click on are the same the differences will be in whats theunderlying VHD or VMDK file youre going to use for deploying that virtual machine, where is that template

coming from and well show you all about that through the next few demos that were going to do. The other

thing is that we want to simplify how a self service user or someone else thats not really familiar with the

underlining workings and the underlying infrastructure components to deploy the resources they need, when

they need them without having to worry about all that stuff and thats what were doing within VMM, the VMM

component is pulling all those things together.

16



24/57

/ /

17

2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S.and/or other countries. The information herein is for informational purposes only and represents the current view of Microsof t Corporation as of the date of this presentation. Because Microsoft must respond to changing





So if we look at virtual machine manager, I have a host group thats out there and I may have hyper v servers

that are already there, I may deploy some VMM servers and Ill connect to the Vcenter server or I may connect

straight to Citrix Xen Server environments so I have all these different virtual hypervisors that are out there

deployed and ready to go but I have this host group I can either one type of hypervisor or multiple types of

hypervisors. The host group is a unit that allows me to create separation for allocating to the clouds but it

doesnt force me into one type of hypervisor per host group. Then once I have these hypervisors within the host

group and Ive created the clouds and Im starting to deploy services and such, I can deploy services to any

one of the hypervisors, I can take that same service template and deploy it to another one of those hypervisors

only thing I would have to do is change what the underlying VHD, VMDK file Im using or I can deploy a servicethat kind of spans both of those hypervisors where maybe one of the tiers is on hyper V and one of the tiers is

on VMWare, we can allow you to have that f lexibility in how you create and deploy these virtualized

environments.

17



25/57

/ /

18






So lets show you how to bring in these heterogeneous hypervisors and in this example Im going to show youhow to through VMM manage your underlying VMWare infrastructure. All right, so switching back to the demohere what we see is that I have already in my host groups, I have a few different host servers within this hostgroup but I want to add now a new server and we showed you in module 2 how to add bare metal deploy of ahyper V server, well here we already have say a VMWare infrastructure created and if I look at my service here Isee that Ive already connected to a VM server so Im already connected to that server but I want to add moreVMWare servers that I have out there and bring them under management with VMM. So to do that I simplyunder add resources have to choose VMWare ESX host and clusters. For the run as account here, weve talked

about hat in module 2 but a run as account allows me to pre-save credentials that I can use to access differenttasks, well I need to log into that ESX server or ESX I server depending on what I have installed so Ive alreadycreated a Vsphere and run as account so Ill just use that account that gives me the root access into thoseboxes. And I hit next, it connects to Vcenter server and looks at all the different ESX servers that it has access toand it shows them up to me Ive already added it to my environment and I have these other two within myVcenter server so Ill just click on those to manage them, hit next here, choose which host group to put it in putin add in servers and then next and finish. At that point it will go through and connect to those servers andstart to add them into my VMM environment.

18



26/57

#






Symon: Now weve been asked if we support these Vsphere Ive actually had a few questions come through askingabout support for Vsphere 5.0 what is our story with that.

Kenon: So with VMM 2012 we support Vsphere 4.1 only so whatever Vcenter, were going to connect to Vcenter 4.1 and

then whatever servers that it can connect to and manage. Vcenter 5 actually came out when we were way late in ourVMM 2012 development cycle so what were going to do is as we update VMM 2012 to support Windows Server 8were going to look to see if we can support VMWare there. Cant guarantee that its going to be in there, we haventpublicly made that announcement but thats the plan that were looking at for something like that. So we are looking toadd those servers and if we look now under the administrative infrastructure and look at the admin servers we see that Inow have the hyper v server and these two ESX servers within that same host group and right now we are connected tothose servers but we still cant deploy virtual machines on them til weve done a couple of things so Ill do some of thatconfiguration so that we can see the types of things you have to do to get this thing up and running inside of VMM.

So the first thing I want to do is change this from okay limited to okay okay and to do that weve got to get the security

key connected and everything so if we look under management we can see that we need to pull down, retrieve thecertificate thumbprint and accept it, the other thing we need to do is under hardware we need to make sure that theVMM (?) the V switches map to our logical networks so we can deploy VMs to it. So under VMNic I have the ability tospecify do I want it to be Contoso or development, which network do I want to use, Ill say the development one and ifyou have a distributed virtual switch within Vsphere 4.1 we would also allow you to attach the virtual networks to that,the logical networks to that. Which means that we support both the stand alone VMWare networks or the distributedvirtual switches. Once I do those two things those are pretty much the main things I need to do to get this thing up andrunning, at that point I hit okay and do that for all the different ESX servers that I want to access. As you can see wemoved to okay for that one and if I run those through steps down here for this other one then Ill be able to use both ofthese for deploying virtual machines to as well.

Symon: Now while you do that, Im going to answer a question as well thats come up a few times the question is whycant we manage the ESX Ihost directly or those VMWare VMs directly, well the reason for that is VMWare hasntexposed its APIs for these individual hosts or for these individual VMs so we do need to connect through a Vcenterserver to go and manage that. So essentially the Vcenter server, thats exposed to APIs we talk to that Vcenter serverand then the Vcenter server goes and manages those ESXi hosts and the VMs themselves. However, whats the storywith Citrix, do we need Xen Center in there?



27/57

#






Kenon: So with Citrix we do not need Xen Center, we support Citrix directly and basically Citrix has an integrationcomponents that they built that you install inside of the Xen Center, I mean the Xen server and at that point it will makeit basically appear to VMM as another type of server that we can manage directly. We dont have to go through VMM orXen Center for that. The one other thing about the Vcenter server is that a lot of things that VMWare wrote areorchestrated or run through Vcenter and so without Vcenter you cant do things like live migration. Like with Hyper V Ican do live migration without VMM so theyre a little different in how theyve architected their environment whichmeans we have to use Vcenter server for those types of things. And if I have a VM thats up and running and I need tolive migrate it, if its running on ESX server, thats fine. I just hit right click on it, say migrate and it will migrate it from theoriginal Vmotion, it will Vmotion it from the original ESX to the other ESX so we support all those things as well once itsmanaged by VMM.

So I have these servers in there one of the things that people say is well Ive built my VMWare environment and Ialready have all these templates there. I dont want to take those templates with VMM 2008 I would copy that entiretemplate into the VMM library which means that every time I deployed a new VM it would have to copy the whole VMback across the network to the ESX server. Well what weve done with VMM 2012 is we allow you to leave the templateon the Vcenter server and what we do is import just the meta data of that template. By importing the meta data of thattemplate what that means is that we know what that template looks like whats the characteristics of the VM and whenwe want to deploy a new VM we just say hey VMCenter deploy it out for us, we dont have to connect to and copy thewhole VMDK and everything to the server. And how we do that is through our library.

Inside the library of VMM I have the ability to import a VMWare template when I click import VMWare template itshows me all the templates that Vcenter has available and we click on the ones that we want to import and so I havethese two templates here, ones a server template and the other one is an app server template, Im going to importboth of them and at this point were just basically taking that meta data pulling it in and we have them now as part ofour VM template list. And I can simply right click on this and create a new virtual machine from it, but what I want to dois and well show you why later on in this session is I want to basically create a new template off of that existing VMtemplate so Im going to go create VM template from that template, well call this one ESX template 01 as just a namethat we could use and we go through the different steps and it has all the information about that virtual machine that Icreated, two processors, a gig of RAM, as you can see it has the SCSI adaptor and everything set instead of having theIDE disk like we would see in Hyper V it has the SCSI attached virtual disk, high availability because its on a Vmotionavailable machine, you can pick the type of network that you want for it and in all those information will be there. butwhat you also see is that you can fill in all the VMM information as far as the operating system and things that were



28/57

#






going to talk about later like building the application stuff on there. so Im not going to finish this one right here insteadIm going to edit this template right here and do one thing that I have to do before I deploy virtual machines off ofthere and that is under the hardware configuration I have to say that the virtual hard disk contains the operating systemby doing that, now I can start deploying all new virtual machines off of this one template here.

All right, so thats multi-hypervisor management well show you a bunch of other stuff later on as we start creating new

services and those types of things in this session today, but I wanted to give you a grounding on how do we add thosehypervisors in there and how can we leverage them. Now that these servers are up and ready to go, the next thing andthe last thing I have to do is in my jump start cloud to take advantage of them, if I look at the properties here, underresources Im using that infrastructure group and now you see we have six servers instead of the two that were therebefore or six CPUs instead of the two that were there before but I have to change the capability profiles to really usethese servers Ive got to say that I can deploy VMWare ESX VMs on there. All right, so thats all I needed to do, thisguys ready to go to deploy new servers to that ESX box.



29/57

19






So now lets flip back and talk a little bit about, I put this cloud together, Ive managed the underlying accessthe next thing I want to do now is delegate who has access to these cloud resources that Ive created. So thatsan important aspect in that I want to ensure that the users that access my cloud are the right users and theyhave access to the correct resources and they only use what I allow them to use, I dont want them to just beable to create a bunch of VMs and use up all my resources so I need to have the ability to set limits to there.

19



30/57

20




p


And I do that by taking this cloud abstraction and delegating who has the capacity and access to it, carving up those different cloudsfor the different groups that I want to have access to like if I deployed this, in this example, the picture here, I have development andproduction well in production I may have both HR people and finance people using the same pool of resources I dont want them allto use all those resources, I may want to split it out because HR only bought a certain amount of resources so Im only going to givethem that much, they cant steal it from everybody else.

Symon: So is this the basic security model that the Microsoft private cloud uses as far as delegating access and control and is thatintegrated with Active Directory or how is that managed?

20



31/57

21




p


Kenon: So it is integrated into Active Directory and we have a couple of ways of managing it and one of them isthrough delegated administrator where they can be an administrator that has access to different resources ofthose resources they have administrative access or we can create what we call self service users and those selfservice users are can only see the clouds that weve given them permission to and then we can createpermissions off of there. All of those are set up by Active Directory accounts so in other words I create a userrole inside of VMM and that you fill it in with which Active Directory accounts have access to that role, whenthey log in they pick that user role and they have access to just those VMs.So lets take a look at what that actually means, I have both delegated administrator access which has the ability

to have administrative access to both host groups as well as clouds but only at the level that I specify for themor I have self service users and they have access just to clouds and they have the ability to specify how muchquota they have and what kind of actions they can take within that cloud.

21



32/57

22




p


So I have the ability to assign actions to these user roles; an action allows me to do things like deploy virtualmachines, start, stop, shut down, connect to, those types of things but it also allows me to specify as anadministrator as an IT guy, which types of virtual machines they can deploy, maybe I dont want them to authornew VMs so I dont give them that permission, maybe I want them to be able to deploy VMs but only fromexisting templates that Ive created I dont want them to say deploy a new VM and just start filling it out with abunch of different resources. I want to say, okay, these are the templates I have created, these are the ones thatyou can deploy. And I can give them that permission here, so I can specify different custom roles for differentusers, I can choose what actions they can perform and I can change that on the fly, maybe Ive given them

access to deploy VMs after theyve deployed their pool of VMs they need, I can pull that capability away andjust give them the ability of those VMs to start stop or something like that. And then lastly it uses ActiveDirectory users and groups when I create these different user roles and youll see that in the demo a fewminutes from now.

22



33/57

23




p


The other thing I can do is specify quota for these different machines so wehad the ability and we showed earlier that we were able to set quota at thecloud level well we also can set quota at the all members combined level. Thismeans that if I sum up all the different users that have logged in as this userrole, all the different number of virtual CPUs that theyve created, they cantcreate more then 100 virtual CPUs sum total across all of them. And if I wantedto I could limit that even further at the per user level and say that any oneparticular user can only create a certain number of VMs so in this examplehere I have 50 virtual machines that Ive created the limit on for this user roleat the all users level but any one user can only create up to 10 virtualmachines. So if Ive deployed 10 virtual machines unless I delete or archive oneof those virtual machines away from that system, I wont be able to deploy

23



34/57

#





anymore until Ive either added more capacity by modifying this or Ive deleted orremoved some of those.



35/57

24





All right, so lets talk a little bit about and show you what that actually means so Im going to flip over to theVMM machine again and show you how weve created these different delegated access for these cloudresources.

Symon: Now as youre switching over theres a question, what about Asman, authorization manager, how doesthis fit in with these different hyper v roles, virtualization roles?

Kenon: So VMM is different than a hyper V role, so VMM is what has access to the Hyper V machines anddeploys the systems, VMM we create the roles inside of VMM and VMM allows you to deploy these virtualmachines out but its not affected by the ASMAN role on a hyper V server itself as far as Ive used it.

So if we look here within VMM, I already have a few different user roles created, I have a couple delegatedadministrator roles, I have obviously the administrator role and a couple of self service user roles already. So tocreate a user role lets create a new user role that will access that cloud that we were going to create on that wecreated earlier. So Im going to call this jump start users and inside of there we have a and were going to usethis self service user, were going to pick the Active Directory users that we want to add inside of here so we will

24



36/57

#





add, if we go to HR, sorry, cloud users which would be an Active Directory group or I could add in a particular user likecloud admin 02. and so I can add both users and groups into this particular user role. Under next I pick the scope, Imgoing to choose just the jump start cloud so if I log in as a member of this user role I only have access to the jump startcloud and all the resources that Ive been given through quota on there. and if we go to the next slide we see thedifferent quota, heres where we created the limit of 250 virtual CPUs we can use that limit or we can cut things down

and if we look inside of this graph here we also have the ability of number of virtual machines 75, well I may only wantthis user role to create, like we showed in the slide deck, 50 virtual machines. And then any one particular user Im goingto give them the ability to only create 4 VMs. So any one user can create 4 VMs, sum total of all VMs created within thiscloud can be 50 or I hit the 250 VCPU maximum within there, depending on how I create things out I may do that,probably wont.

Then I can choose any particular types of resources this person has access to, well I want to have access to thesecustomer demographic services that Ive created and lets add a couple of these other VM templates and hardwareprofiles. So I have given them access to these particular resources and then next is what kind of activities or actions theycan create, well I want them to be able to deploy but only from a template, I want to give them the ability to connect to

the virtual machines they create, so remote connection, and then I just want them to be able to start, shut down, andstop and I want them to be able to store and redeploy. By creating store, re-deploy that means they can store it in thelibrary so it wont count against their quota and they can re-deploy it later on when they want it. If I take that away theonly way to free up quota would be to delete virtual machines. If I wanted to add any particular run as accounts I coulddo that then and then finish. So at this point its created a brand new resource group called jump start users and this

jump start user role has the ability to do just certain tasks.

Symon: Now I had a question that came in about sharing these roles and sharing these accounts between the differentSystem Center components so for example accounts that I created in VMM can I use those in operations manager, isthere any shared infrastructure there?

Kenon:Each System Center component has its own user roles or identity management so if I created a user called cloudusers here or jump start users here, that doesnt get populated to operations manager or service manager within there.Now you could create Orchestrator run books that does those types of things but the people that are accessing VMMare probably not the same people that are going to be accessing operations manager. The user roles right here wouldbe something that would be effective for and well talk about it later in probably a couple of modules during the



37/57

#





application performance stuff where when you deploy a service when they log in to App Controller it will leverage theVMM user roles but each user role set is defined for that application or for that component.

Symon: Now what about if I used Active Directory and I created a group, lets say a cloud group, could I import all theusers of that entire group in that organizational unit into VMM and apply these security credentials across that wholegroup?

Kenon: so if I had an Active Directory group called cloud users and I created a user role and I added cloud users to thatand when the person logged into VMM if that was the only user role he was added access by, he would log into that if itwas multiple user roles it would give him a choice and so what it looks like is this, if Im a brand new user and I want tolog in, so Im going to log in to this user but I m going to specify credentials and Im going to log in as cloud admin 02and he was that individual user that I created when I logged in or when I added him to the users to the user role, if Ihave access to multiple user roles its going to give me a dialogue box like this and I can choose which user role I want

to choose and log in as and it will give me just those permissions so Im going to pick jump start users here which is theone that we just created and youre going to see a couple of things that are different then when you saw theadministrative view that I had logged in as administrator. And the first thing that youre going to notice is that some ofthe tabs or some of the workspaces just arent there. if we look down here at the workspaces we see VMs and servicesand library but we dont see that fabric which was right in between. File tab back to the administrator one we see VMsand services, fabric and library. So they do give you just contextual views of what you can see. The other thing if welook in VMs and services I dont see all those host groups or anything, all I see is the service or the cloud that Ive beengiven permission to see. And then lastly if I wanted to deploy a brand new service or VMs and I tried to deploysomething I would only see the VMs or the services that I have access to deploy. So if I go into library I can see just the

services that I have the ability to deploy if I right click on them I can configure deployment but were going to talk aboutthat in a few minutes here so what that all looks like but thats where I can specify and set up how each of theseindividual things, who gets access to what and what permissions and to be honest if I was a self service user Improbably not going to log into the VMM console but instead Ill log into App Controller and use that web front end tobe able to do this much more simply then get this complex UI for them.

Symon: Thats all self service of course, App Controller which is kind of a standard user, an end user without needing thisfull administrative access to manage all the hosts, the fabrics chances are youre going to use App Controller anyway.



38/57

#





Kenon: Exactly so lets flip back to the session here and start talking now about these services.



39/57

25





One of the benefits that weve added within VMM 2012 and for System Center itself is this focus on theapplication. A lot of customers deploy a lot of virtual machines, but those virtual machines are usually agrouping of virtual machines that are deployed together, I mean I usually have an application I have to deployand its going to take a certain number of VMs for the web front tier, some for the middle tier and thensomething for all the backend database like a SQL Server or something like that. So how do I bring all thosethings together and make it more simple to deploy these more and more complex type applications and thatswhat were trying to do with VMM 2012 in System Center 2012 is bring that focus on the application and not onthe individual virtual machines that are out there.

Symon: Well I think thats one of the big advantages that System Center brings to the table as well compared tosome competitive products you know, not only do we manage the fabric, the physical hardware, we manage theVMs but then we manage the applications that are running inside the VMs as well so we really do hit all thedifferent tiers, that deep depth monitoring and application insight.

Kenon: Exactly and not only do we hit them all but we correlate them together so I know when I deploy thisservice, its running on these hosts which means that I know that if theres a problem I can drill down quickly

25



40/57

#





into whats the problem with the infrastructure or was it a problem with the application on top of it


d l d h


41/57

26





and we do that by creating these service templates or this service model and lets say for a typical .NETapplication has multiple tiers and each of those tiers has different virtual machine requirements, maybe I have aweb tier that really requires not a lot of CPU or storage but maybe these a lot of memory or something likethat. Or I have an application tier that really needs a lot of CPU to chug away at something and then a data tierthat needs access to that high end storage. I can create different virtual machine templates and those templatesare different in VMM 2012

26


C i d M i P i Cl d i h S C 2012


42/57

27





Than what a normal application environment thinks about because in VMM 2012 its not just the OS and thehardware and the virtual hard disk but we also focus on the application thats installed in that tier. So I take thatdifferent tier that we have here the service template and it may consist of multiple virtual machine templatesbut each one of those tiers may have one or more virtual machines deployed and those virtual machines aredeployed on the cloud that I deploy it to.

27


C ti d M i P i t Cl d ith S t C t 2012


43/57

282011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S.and/or oth

configure and deploy the private cloud infrastructure student manual.pdf

Documents