AWS: Regions and Availability Zones

AWS is available in multiple locations worldwide.

These locations are composed of regions and Availability Zones.

A region is a named set of AWS resources in the same separate geographic area.

Each region has multiple, isolated locations known  as Availability Zones.

Each region is completely independent and is designed to be completely isolated
from the other regions

Each Availability Zone is isolated, but the Availability Zones in a region
are connected through low-latency links. Availability Zones are physically
separated within a typical metropolitan region.


AWS Global-Infrastructure 

Open Stack High Availability Design

Below is the Openstack High availabilty Diagram. Its self Explanatory

Azure Datacenters

Azure is generally available in 24 regions around the world and has announced plans for 8 additional regions. Azure services are available in 140 countries. It supports 10 languages and 19 currencies. It has more than 1 million servers

AZURE REGION	LOCATION
Central US	Iowa
East US	Virginia
East US 2	Virginia
US Gov Iowa	Iowa
US Gov Virginia	Virginia
North Central US	Illinois
South Central US	Texas
West US	California
North Europe	Ireland
West Europe	Netherlands
East Asia	Hong Kong
Southeast Asia	Singapore
Japan East	Tokyo, Saitama
Japan West	Osaka
Brazil South	Sao Paulo State
Australia East	New South Wales
Australia Southeast	Victoria
Central India	Pune
South India	Chennai
West India	Mumbai
China East	Shanghai
China North	Beijing
Canada Central	Toronto
Canada East	Quebec City

Newly announced Azure geographies and regions

AZURE REGION	LOCATION
US DoD East	To be announced
US DoD West	To be announced
Germany Central	Frankfurt
Germany Northeast	Magdeburg
United Kingdom South	To be announced
United Kingdom West	To be announced
Korea Central	Seoul
Korea South	To be announced

Azure have modular blade servers in compute or storage role with around 50 servers with rack. These racks also have fabric controller. Around 20 racks make a cluster.All hardware in the cluster uses same generation processor.

This completes our datacenter blog

Microsoft Azure: Authentication and Authorization

Identity Management is one of the most important topic in cloud, especially in public cloud. This blog covers identity management for Microsoft Azure.

If you look at the customer that needs access to public cloud, there are three ways it can access cloud or we can say there are three types of customers: Large enterprise, small enterprise and someone working from home and accessing Azure.

lets start explaining each one of them
Large Enterprises: Integrating a Subscribers Own Identity Mechanism

uA large enterprise subscriber, authenticate with  own identity provider (step 1), in this case Active Directory Federation Services (ADFS).

uAfter successfully authenticating a user, ADFS issues a token. The client browser forwards the token to the Azure  federation provider that trusts tokens issued by customer’s ADFS (step 2) and,

u if necessary, performs a transformation on the Customers claims in the token into claims that  SAAS application recognizes (step 3) before returning a new token to the client browser.

uThe application trusts tokens issued by the Azure federation provider and uses the claims in the token to apply authorization rules (step 4). 

Small Enterprises:Providing an Identity Mechanism for Small Organizations

uA smaller company, authenticate with the Azure identity provider (step 1) because their own Active Directory can’t issue tokens that will be understood by the Azure federation provider.

uIf the Azure  identity provider can validate the credentials, it returns a token to the client browser that includes claims such as the user’s identity and the tenant’s identity. The client browser forwards the token to the Azure federation provider that trusts tokens issued by azure identity provider (step 2)

uIf necessary, performs a transformation on the Azure identity provider claims in the token into claims that SAAS Application recognizes (step 3) before returning a new token to the client browser.

uThe application trusts tokens issued by the Azure federation provider and uses the claims in the token to apply authorization rules (step 4).

 working from home and accessing Azure:Integrating with Social Identity Providers

ufederation provider is configured to trust tokens issued by a third-party identity provider, such as an identity provider that authenticates a Microsoft account or OpenID credentials. Ycompany plans to use Windows Azure Access Control to implement this scenario.

uWhen an individual user authenticates with his or her chosen identity provider (step 1), the identity provider returns a token to the client browser that includes claims such as the user’s identity.

uThe client browser forwards the token to the Azure federation provider that trusts tokens issued by the third-party provider (step 2) and

uIf necessary, performs a transformation on the claims in the token into claims that Azure application  recognizes (step 3) before returning a new token to the client browser.

uThe application trusts tokens issued by the federation provider and uses the claims in the token to apply authorization rules (step 4). When the user tries to access their surveys, the application will redirect them to their external identity provider for authentication.

Openstack Architectural diagram

Nova Compute- Openstack

Above is the architecture of Nova Compute. Let me explain the above architecture  little bit

Nova-api: it accepts and responds to end user api calls

Nova-compute process is just a worker daemon that creates and terminates virtual machine instances via the hypervisor api's like VMware api

Nova-volume manages  the creation, attaching and detaching of z volumes to compute instances like Amazons elastic block storage.

Nova-network accepts networking tasks from the queue and then perform tasks to manipulate the network.( such as setting up bridge interfaces or changing ip tables now Neutron)

Nova-schedule process takes virtual machine  instance requests from the queue and determine where it should run, specifically which compute host it should run on

Queue ( RabbittMQ) provides a central hub for passing messages between daemons

SQL database stores most of the build-time and run-time state for cloud infrastructure

Keystone – OpenStack Identity Service

Openstack Identity service is known as Keystone.. Keystone services for authenticating and managing user accounts and role information for our OpenStack cloud environment.Identity service is responsible for  the authentication and verification between all of OpenStack cloud services and is the first service that needs to be installed within an OpenStack environment. The OpenStack Identity service authenticates users and tenants by sending a validated authorization token between all OpenStack services. This token is used for authentication and verification so that one can use that service, such as OpenStack Storage and Compute. Therefore, configuration of the OpenStack Identity service must be completed first, consisting of creating appropriate roles for users and services, tenants, the user accounts, and the service API endpoints that make up the  cloud infrastructure.

Above diagram is an illustrates how identity service comes into production by following phased manner approach.

Installing Keyston – OpenStack Identity Service

We wont be covering configuration and commands in this blog. 

First you would need to create a controller node. in this controller node, you would need to install keystone and its back end Mariadb Database. Connect the two together and your server is ready

Once the keystone server is installed then we would need to create tenant, users and roles

A tenant in OpenStack is a project, and the two terms are generally used interchangeably.tenant has its own resources like users, images and instance as well as networks.Users can't be created without having a tenant assigned to them, so these must be created first. each user then needs roles to be assigned to them like admin role etc. 

Now we would need to define service endpoints. what is a service endpoint?

Each service in our cloud environment runs on a particular URL and port—these are the endpoint addresses for our services. When a client communicates with the  OpenStack environment that runs the OpenStack Identity service, it is this service that returns the endpoint URLs that the user can use in an OpenStack environment. To enable this feature, we must define these endpoints. In a cloud environment, we can define multiple regions. Regions can be thought of as different datacenters, which would imply that they would have different URLs or IP addresses. Opentsack identity service can be configured to service requests on 3 URLS:

1) Public URL: for end users

2)Admin URL: For administration

3)Internal URL: URl for behind the firewall, for private cloud

Now that the service endpoints are created, we can configure service endpoints so that our otherOpenStack services can utilize them. To do this, each service is configured with a username and password within a special service tenant. When setting up a service to use the OpenStack Identity service for authentication and authorization, we specify these details in their relevant configuration file.Each service itself has to authenticate with keystone in order for it to be available within OpenStack. Configuration of that service is then done using these credentials. 

Once its done you are done with identity service

VMware vRealize: Cloud Cost

VMware vCloud Suite contains these integrated products:

• Infrastructure Platform: VMware vSphere®: Industry leading server virtualization platform.
• VMware vRealize™ Operations™: Intelligent performance, capacity, and configuration management for vSphere environments.
• VMware vRealize Automation™: Self-service and policy-based infrastructure and application provisioning for vSphere environments.
• VMware vRealize Business™: Automated costing, usage metering, and service pricing of virtualized infrastructure for vSphere environments.
• Disaster Recovery Automation with VMware vCenter™ Site Recovery Manager™: Policy-based disaster recovery and testing for all virtualized applications.

The Overview dashboard provides a high-level overview of your Cloud cost and demands.

Click on Overview menu item to load the vRealize Business main dashboards.

This dashboard is divided into 3 columns:

1. Total Cloud Cost - Total cost and cost per driver (component) with insight to Operation Expenses and Capital Expenses.
2. Operational Analysis - Average cost per VM and cost of each compute resource.
3. Consumption (Demand) Analysis - VM Count in your private Cloud and the distribution of costs between the Business Units based on their consumption.

The Operational Analysis tab provides a detailed overview on server costs. On the top of the screen you can see the current month cost and the monthly cost trend of each component. The pie chart on the right shows the percentage distribution of these components

The Comsuption Analysis tab details which resources each Business Unit consumes by VMs and Projects with breakdown to Compute resource.

You can now review the cost details of each BU clicking on Consumers List.

CLOUD COSTS DRIVERS

vRealize Business Standard categorizes the cost drivers into Server Hardware, Storage, Licensing, Maintenance, Labor, Network, Facilities, and Additional Costs. The cost driver data that you provide is the monthly cost except for the server hardware cost and storage array hardware cost.

MODIFYING PRIVATE CLOUD COSTS

You can modify the cost drivers of your data center. These costs can be in terms of percentage value or unit rate, and might not always be in terms of the overall cost. Based on your inputs, the final amount of cost drivers is calculated. If you do not provide inputs regarding cost drivers, the default values are taken from the reference database, which is part of the vRealize Business Standard product.

Click on Edit Cost

You can edit the total operating system licensing cost and VMware license cost of your cloud environment. You can edit the license cost by either selecting the ELA charging policy or selecting the per socket value.

SETTING UP PRICES FOR CLOUD SERVICES

You can set and edit the virtual machine price. You can define price manually or by creating policies based on vRealize Automation, vCloud Director, and vCenter Server categorization.

On the next steps you will understand how to edit cloud prices.

1. Click on Consumption Analysis menu item.

1. Click on Consumption Overview.

From now you are able to modify the Services pricing.

1. Click on Edit button

2. Click on Edit edit Pricing

You can select pricing mode whether you want define price manually or create policies to define the price, which enables to calculate virtual machine cost. You can define the price in two modes - Basic and Advanced. In Basic mode, you enter the price manually and in Advanced mode, you set the price by creating policies based on vRealize Automation, vCloud Director, and vCenter Server.