Multicloud Storage As A Service Using VRealize Automation And IBM .

Getting started: Storage as service in multicloud environmentusing IBM Spectrum Virtualize for Public CloudThis section describes the essential end-to-end storage as a service solution buildingmaterial.IBM Spectrum Virtualize for Public CloudIBM Spectrum Virtualize for Public Cloud is a version of IBM Spectrum Virtualize that isimplemented in a cloud environment, such as IBM Cloud and AWS Cloud. This paperdiscusses IBM Spectrum Virtualize for Public Cloud running in AWS Cloud.Designed for software-defined environments, IBM Spectrum Virtualize for Public Cloudrepresents a solution for public cloud implementations and includes technologies thatcomplement and enhance public cloud offering capabilities.IBM Spectrum Virtualize for Public Cloud provides for the deployment of IBM SpectrumVirtualize software in public clouds, starting with IBM Cloud and is now available in AmazonCloud. IBM Spectrum Virtualize for Public Cloud on AWS and IBM Cloud provides a monthlyBYOL license that is acquired from IBM passport advantage to deploy and use IBM SpectrumVirtualize for Public Cloud in Amazon Cloud and IBM Cloud to enable hybrid cloud solutions.This offers the ability to have storage as service in a multicloud environment.Table 1 lists the components of IBM Spectrum Virtualize for Public Cloud.Table 1 IBM Spectrum Virtualize for Public Cloud at a glanceItemsOn AWS CloudOn IBM CloudStorage supportedAmazon Cloud EBS blockstorageIBM Cloud Performance andEndurance block storageLicensing approachSimple, flat cost per managedterabyte. Monthly licensingpurchased through IBMSimple, flat cost per managedterabyte. Monthly licensingPlatformIBM Spectrum Virtualize forPublic Cloud on AWS installedon EC2 instanceIBM Cloud bare-metal serverinfrastructureIBM FlashSystem 7200IBM FlashSystem 7200 is designed to deliver flexible, affordable scaling and performance: Support of NVMe over Fabrics provides for the highest end-to-end storage performance Utilization of IBM FlashCore -enhanced storage media provides extraordinary flashdensity and storage capacity while achieving low latency in microsecondsFlashCore Modules (FCM) utilize powerful inline, hardware-accelerated compressiontechnology that provides consistent data compression without performance impact across thefull range of workloads. The FCMs are designed to support FIPS 140-2 Level 1 encryption.Built-in flexibility allows you to choose various drive types, and supports all three drive typessimultaneously within the array: FCMs in multiple capacitiesIndustry-standard NVMeNew Storage Class Memory (SCM) drives3

Scaling of capacity and performance is dynamic with always online high-performance datacompression in the FCMs or with the Data Reduction Pool (DRP) technology using industrystandard drives. Effective capacities can range up to four petabytes (PB) in a single 2Uenclosure, with the ability to cluster, scale-out, or scale up capacity and performance to 32 PBand eight million input/output operations per second (IOPS).Each controller contains a hardware compression accelerator based on Intel QuickAssisttechnology with an available second accelerator. Flexible host interface options include: 16 Gbps or 32 Gbps Fibre Channel with FC-NVMe support25 Gbps Ethernet with iSCSI, iWARP, RoCE support, and 10 Gbps iSCSIUp to four IBM FlashSystem 7200 arrays can be clustered and operated as a singlesystem, with 12 Gb, 24 Gb, and 92 Gb SAS expansion enclosures available. It can supportup to 760 SAS drives per array controller, 96 NVMe, and 2,944 SAS drives per 4-wayclustered systemFor more information about IBM FlashSystem specifications, refer to the following stem-7200For the purposes of this paper and lab environment, the IBM FlashSystem 7200 is deployedat an on-premises environment. The IBM FlashSystem 7200 combines the performance offlash and the Non-Volatile Memory Express (NVMe) protocol with the reliability and innovationof IBM FlashCore technology and the rich feature set of IBM Spectrum Virtualize in onepowerful new storage platform for your data-driven multi-cloud enterprise.IBM Spectrum ConnectIBM Spectrum Connect empowers storage teams and other stakeholders by enablingprovisioning, monitoring, automating, and orchestrating of IBM block storage in containerized,VMware, and Microsoft PowerShell environments. It offers the same UI for many solutionsand environments for a consistent experience. It helps organizations simplify cloud complexityand is available by entitlement to every IBM block storage customer.VMware vRealize Orchestrator and vRealize AutomationvRealize Orchestrator is one product from VMware that enables the orchestration of theinfrastructure and with the help of IBM Spectrum Connect. It involves IBM storage systems inthe orchestration.The integration of vRealize Orchestrator with vRealize Automation takes the service aroundinfrastructure beyond orchestration. The Advanced Service Designer feature of vRealizeAutomation with the integration of vRealize Orchestrator enables an organization to offerXaaS to its users. By using the XaaS feature of vRealize Automation, IBM SpectrumStorage System (whether at on-premises or at Public Cloud) can be delivered as storageas a service.4Multicloud Storage as a Service using vRealize Automation and IBM Spectrum Storage

End-to-end business solution architecture for storage asserviceFigure 1 shows the high-level architecture for building storage as a service in a multicloudenvironment using IBM Spectrum Virtualize for Public Cloud and vRealize Automation. Thispaper describes the storage as a service with IBM Spectrum Virtualize for Public Cloudrunning in AWS, but same architecture can be used for IBM Spectrum Virtualize for PublicCloud running in IBM Cloud.Figure 1 High-level architectureIBM Spectrum Virtualize storage familyIBM Spectrum Virtualize for Public Cloud is a software-defined storage solution that helpsspeed delivery of data across the organization and adds extreme flexibility to clouddeployments. IBM Spectrum Virtualize for Public Cloud virtualizes the Public Cloud blockstorage in public cloud environments delivering easy data management and enterprisecapabilities, such as remote mirroring and IBM FlashCopy for a host of different deploymentplatforms. IBM Spectrum Virtualize for Public Cloud can be deployed on IBM Cloud orAWS Cloud self-service infrastructure as a service (IaaS), all within an Integrated DataManagement environment.IBM Spectrum ConnectIBM Spectrum Connect is a centralized cloud integration system that consolidates a range ofIBM storage provisioning, virtualization, cloud, automation, and monitoring solutions througha unified server platform.IBM Spectrum Connect provides a single-server, back-end location and enables centralizedmanagement of IBM storage resources for different virtualization and cloud platforms,including: VMware vCenter ServerVMware vSphere Web ClientVMware vSphere APIs for Storage Awareness (VASA)5

VMware vRealize Operations ManagerVMware vRealize Orchestrator (vRO)Through its user credential, storage system, storage space, and service managementoptions, IBM Spectrum Connect facilitates the integration of IBM storage system resourceswith the supported virtualization and cloud platforms. At the same time, it provides thefoundation for integration with future IBM systems and independent software vendor (ISV)solutions. IBM Spectrum connect can be managed through a standard web browser and agraphical user interface (GUI), or through terminal and command-line interface (CLI).vRealize Orchestration and vRealize AutomationvRealize Orchestrator from VMware enables the orchestration of the infrastructure and withthe help of IBM Spectrum Connect, it involves IBM storage systems in the orchestration.The integration of vRealize Orchestrator with vRealize Automation takes the service aroundinfrastructure beyond orchestration. The Advanced Service Designer feature of vRealizeAutomation with the integration of vRealize Orchestrator enables an organization to offerXaaS to its users. Using the XaaS feature of vRealize Automation, IBM Spectrum Virtualizefor Public Cloud Storage System can be delivered as storage-as-a-service.As shown in Figure 1 on page 5, vRealize Automation Center is installed and configured withthe required components. vRealize Automation can be configured with a built-in vRealizeOrchestrator server or the external vRealize Orchestrator server.In this example, the external vRealize Orchestrator is used and is enabled. Figure 1 onpage 5 shows how IBM storage systems are accessed and used from the VMwareenvironment through IBM Spectrum Connect.The storage administrator uses Spectrum Connect to select which IBM storage systems(arrays) and what storage resources should be available for use.IBM Storage Plug-in for VMware vRealize Orchestrator is installed and configured on thevRealize Automation appliance, which enables communication between the embeddedvRealize Orchestrator server, and IBM Spectrum Connect Server. IBM Spectrum Connect isconfigured with the details of the IBM FlashSystem Storage System and IBM SpectrumVirtualize for Public Cloud.6Multicloud Storage as a Service using vRealize Automation and IBM Spectrum Storage

The total integration of vRealize Automation, vRealize Orchestrator, IBM Spectrum Connect,IBM Spectrum Virtualize for Public Cloud, and IBM FlashSystem enables efficientprovisioning of storage resources in an overall IT process workflow in a multicloudenvironment. Logical configuration is shown in Figure 2.Figure 2 Solution Architecture overviewConfiguring on-premises siteThis section describes the benefits, features, and configuration overview of IBM FlashSystem7200.Configuring IBM FlashSystem 7200The IBM FlashSystem 7200 system that is used in the lab setup is configured with 243.2 TB flash drives. The drives are configured as Tier 0 with IBM Easy Tier .To view the system overview page, log in to the IBM FlashSystem 7200 GUI. Then, log in tothe cluster IP address by using a supported web browser and click System (see Figure 3 onpage 8).7

Figure 3 IBM FlashSystem 7200 Login windowUse the following guidelines to move through creating a pool to mapping a volume:1. Click Pools Internal Storage, as shown in Figure 4.Figure 4 IBM FlashSystem 7200 disk information2. Next, create a pool. Click Pools Create Pool and follow the Create Pool wizard. Assigna managed disk (MDisk) to the pool, as shown in Figure 5.Figure 5 Creating IBM FlashSystem 7200 pool8Multicloud Storage as a Service using vRealize Automation and IBM Spectrum Storage

After the pool is created, create a VDisk and map the VDisk to the Windows host:1. To create a VDisk, click Volumes by Pool Create Volumes, as shown in Figure 6.Figure 6 IBM FlashSystem 7200 volume creation2. In the pool-creation window, as shown in Figure 6, select the pool and provide volumeinformation, such as the capacity and name for the VDisk. Also, select whether you want athin-provisioned volume or a thick volume, and if de-duplication must be enabled ordisabled.3. Then, click Create and Map, as shown in Figure 7. Follow the instructions that areprovided by the wizard and map the volume to the Windows host at the on-premises site.Figure 7 Creating and mapping volume9

Installation of IBM Spectrum Virtualize for AWS CloudThis section describes the high-level installation steps for IBM Spectrum Virtualize for PublicCloud. In the proof-of-concept solution lab test environment that is described here, atwo-node IBM Spectrum Virtualize for Public Cloud cluster is configured.Installing IBM Spectrum Virtualize for Public CloudThe high-level architecture of IBM Spectrum Virtualize for Public Cloud in AWS is shown inFigure 8.Figure 8 High-level architecture for IBM Spectrum Virtualize for Public Cloud on AWS10Multicloud Storage as a Service using vRealize Automation and IBM Spectrum Storage

As shown in Figure 8 on page 10, the installation can be done in an existing VPC or a newVPC. The installation is done by using the AWS Marketplace (see Figure 9).Figure 9 AWS Marketplace for IBM Spectrum Virtualize for Public CloudTo install IBM Spectrum Virtualize for Public Cloud, complete the following steps:1. Select the network and availability zone, as shown in Figure 10.Figure 10 AWS Marketplace for IBM Spectrum Virtualize for Public Cloud (Network Configuration)2. Select the EC2 configuration (the three types of EC2 are supported). The details of thesupported EC2 configurations are shown in Figure 11.Figure 11 EC2 instance types11

3. After the deployment is completed, the output is displayed (see Figure 12).Figure 12 Cloud formation template outputIBM Spectrum Virtualize for Public Cloud cluster login and GUI accessLogging in to an IBM Spectrum Virtualize for Public Cloud cluster is almost the same processas logging in to a node. You replace the service IP with the cluster IP. Log in to the cluster witha GUI by using your browser, as shown in Figure 13.Figure 13 IBM Spectrum Virtualize for Public Cloud on AWS loginWith the GUI, you are guided through the steps that help you to complete your clusterinstallation.12Multicloud Storage as a Service using vRealize Automation and IBM Spectrum Storage

Configuring back-end storage for IBM Spectrum Virtualize forPublic CloudIBM Spectrum Virtualize for Public Cloud uses the back-end storage that is provided by AWSCloud EBS Volume as an external MDisk.To order back-end storage, log in to the AWS console:1. Click Elastic Block Storage Volumes Create Volumes, as shown in Figure 14.Figure 14 AWS Console with EBS volume details2. Select the volume type and size of the volume required, as shown in Figure 15.Figure 15 EBS Create volume on AWS ConsoleThe two volumes created and highlighted in red (as shown in Figure 14) are virtualizedbehind the IBM Spectrum Virtualize for Public Cloud on AWS.As shown in Figure 16, two Pools are created on IBM Spectrum Virtualize for Public Cloud onAWS, and each Pool includes one assigned MDisk. The MDisk is the EBS external storagethat was purchased on AWS Cloud.To create a pool on IBM Spectrum Virtualize for Public Cloud on AWS:13

1. Log in to IBM Spectrum Virtualize for Public Cloud and select AWS GUI Pools Create Pool (see Figure 16).Figure 16 Creating a Pool2. After the Pool is created, click Action Discover storage, as shown in Figure 16.The EBS volumes that are purchased on AWS Cloud and unused are visible underunassigned MDisk. To verify that the correct volume is added to the pool, check that the EBSVolume ID is the same volume ID as shown in the AWS Cloud console.Add storage in the form of MDisk to the Pool.Then, you can create a VDisk and assign the volume for host access that uses iSCSI.Configuring site-to-site IPSec VPN for hybrid cloud connectivityThis section describes how to configure hybrid cloud connectivity between the AWS Cloudand the on-premises environment. This section also describes lab setup and the steps toconfigure the site-to-site IPSec tunnel for communication between AWS Cloud and theon-premises site.Note: Although the logical steps for our use case is described in this section, theon-premises network configuration, infrastructure, and security policy can vary on acase-by-case basis. This section is intended to give a high-level logical example only.The high-level architecture for hybrid cloud connectivity between on-premises and AWS cloudis shown in Figure 17 on page 15.14Multicloud Storage as a Service using vRealize Automation and IBM Spectrum Storage

AWS CloudOn-premiseAvailability zoneNAT RouterEncrypted IPsec tunnelVPC172.16.0.0/16NAT GatewayPublic subnet172.16.2.0/24VPN Gateway10.1.240.9Private subnet172.16.1.0/24VPN Connection10.0.240.0/2410.0.240.9IP sec tunnel details:Local subnet: 10.0.240.0/24Remote Subnet: 172.16.1.0/24RouterIP sec tunnel details:Local subnet: 172.16.1.0/24Remote Subnet: 10.0.240.0/24Figure 17 Hybrid cloud network connectivity topology between AWS cloud and on-premisesAs shown in Figure 17, Virtual Private Cloud (VPC) in AWS is configured with a VPN gatewayand router for the CIDR block 172.16.0.0/24. The VPN gateway is required for establishingthe tunnel between the AWS cloud and the on-premises infrastructure. It acts as the defaultrouter for communication between AWS and on-premises systems. In AWS, all the computehosts and IBM Software-defined storage systems are configured with IP addresses in theprivate IP subnet 172.16.1.0/24.At the on-premises site, a network address translation (NAT) router is used (which is the corerouter) with a public IP address. That public IP address is NAT’ed to a private IP 10.1.210.9.The second router is a VyOS software gateway at the on-premises site that acts as a defaultgateway for a private subnet. The VyOS is used for the lab purpose to demonstrate that thePoC (in real-world organizations) can use their networking infrastructure.The VPN IPSec site-to-site tunnel creates a secure communication network between theAWS Cloud infrastructure and the on-premises infrastructure. Network communicationbetween the private subnets is controlled by the access control list that is populated when theVPN IPSec site-to-site tunnel is created.15

AWS configuration for VPN IP Sec tunnelThis section describes the various steps that are required at the VPC level in AWS cloud forestablishing the IP sec tunnel:1. Create customer gateway.Log in to the AWS console with the resource provisioning privileges and scroll down to theVirtual Private Network (VPN) section in the pane. Click Customer Gateways and enterthe required information, as shown in Figure 18.Figure 18 Customer gateway configuration in AWS2. Create Virtual Private Gateways.Click the Virtual Private Gateways section in the VPC and configure the requiredinformation, as shown in Figure 19.Figure 19 Virtual private gateway configuration in AWS3. Attach the Virtual Private Gateway to the VPC, as shown in Figure 20.Figure 20 Attaching Virtual private gateway to VPC in AWS16Multicloud Storage as a Service using vRealize Automation and IBM Spectrum Storage

4. Create Site-to-Site VPN connection in AWS console, as show in Figure 21.Figure 21 Creating VPN connection in AWS5. Select the Virtual Private Gateway and the Customer Gateway parameters that werecreated (as shown in Figure 19 on page 16 and Figure 20 on page 16).Two tunnels in the VPC are created in these steps and the same is used for the configurationat the other end of the tunnel.Configuring the VYOS router at on-premisesComplete the following steps to configure the VYOS router at on-premises location:1. Enable NAT-T.The address of the external interface for your customer gateway must be a static address.In the LAB configuration, we used the VYOS gateway that is behind a device that isperforming network address translation (NAT). To ensure that NAT traversal (NAT-T) canfunction, you must adjust your firewall rules to unblock UDP port 4500:set security vpn ipsec nat-traversal enable2. IPSec tunnel #1 configuration:a. Internet Key Exchange (IKE) configuration:set vpn ipsec ike-group AWS lifetime '28800'set vpn ipsec ike-group AWS proposal 1 dh-group '2'set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'set vpn ipsec ike-group AWS proposal 1 hash 'sha1'set vpn ipsec site-to-site peer 1.1.1.1 authentication mode'pre-shared-secret'set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret'mD2UOcZmKY23sX30u.Iox 0Fj GYcsEd'17

.1.1.11.1.1.11.1.1.1description 'VPC tunnel 1'ike-group 'AWS'local-address '192.109.81.204'vti bind 'vti0'vti esp-group 'AWS'b. Encapsulating Security Payload (ESP) erfaces interface 'eth0'esp-group AWS compression 'disable'esp-group AWS lifetime '3600'esp-group AWS mode 'tunnel'esp-group AWS pfs 'enable'esp-group AWS proposal 1 enc

The integration of vRealize Orchestrator with vRealize Automation takes the service around infrastructure beyond orchestration. The Advanced Service Designer feature of vRealize Automation with the integration of vRealize Orchestrator enables an organization to offer XaaS to its users. By using the XaaS feature of vRealize Automation, IBM Spectrum