The Azure announcement is the culmination of years of planning for Microsoft’s “software-plus-services approach to computing.” According to Debra Chrapaty, the woman who runs Microsoft’s data center infrastructure, plans started about four to five years ago to build out data center capacity for the new initiatives. The best place to build a new data center: Quincy, Washington – whose hydroelectric power and commitment to fiber made it a winner. (Click here for Mayor Hernberry’s update on the impact of the new data centers and apparently new wineries popping up in Quincy.)

Thank goodness for Microsoft. In this economy, we should all be grateful to companies that can still spend between $300 million to $700 million to build just one data center.

The session took place at the beginning of Partner Day. The “regular” conference sessions actually begin tomorrow. Today is spent focusing on partner issues and enablement.

The panel for this session included:

• Mark Chuang Group Manager, Product Marketing, VMware, Inc.
• Kenon Owens Staff Systems Engineer, VMware, Inc.

You have to remember that most of the Partners here are not vendors like ScienceLogic, but big and small shops that are selling IT, networking and now virtualization solutions into end-customer environments. For these guys, understanding what virtualization partner programs and tools are at NetApp, for example, is very useful. And many of these companies are already selling Microsoft software and surrounding services for Microsoft products. So if you’re VMware, what’s the message to these partners in the face of the Microsoft juggernaut?

Microsoft to partners: “You may not like to admit it, but you’re probably already in bed with us.”

VMware to partners: “Our hypervisor technology outperforms Hyper-V and Xen, especially at scale. And anyway, it’s not about the battle at the hypervisor. It’s about the V-services on top of the hypervisor – VMotion, Storage VMotion, DRS, etc.”

Interesting and what we all already know, or think we know. The scale issue is an interesting one – too soon for Hyper-V and who uses Xen? But also interestingly enough, no announcement or even talk about extending VMware management tools to other hypervisors. The point, as the VMware product marketing guy made a point of saying, is that the question they needed to answer used to be “Why Virtualization?” and now it’s “Why VMware?”.

One more tidbit – this survey run by VMware asking their customers:

What are the top 6 apps you are running on VMware today

• IIS
• Apache
• Active Directory
• SQL Server
• Sharepoint
• Exchange

That means, 5 of 6 are Microsoft applications. Certainly it makes it even more challenging for VMware to navigate a path here.

The change since 2004 – would have talked about why virtualize. And now why VMware. (Duh.)

Talking to partners – many of which already have a successful Microsoft business. How VMware enhances your existing Microsoft business.

Top 6 apps running on VMware today (5 of 6 are Microsoft applications)

• IIS
• Apache
• AD
• Sql server
• Sharepoint
• Exchange

Source: VMware survey

Esxi - VMware – true thin hypervisor; maximizes resources utilization (over 100% memory commitment – allows avg of 2:1 memory overcommit) – host system memory is usually the resource bottleneck – plus Advanced Scheduler runs VMs better under load and to a greater capacity (hard to show this part); performance acceleration – using binary translation (32bit), para-virtualization and Hardware Assist (for 64-bit)

(rvi – rapid virtualization indexing)

No parent partition that all hypervisors have to go through

Vs ms/xen

Parent partition – dom 0 => potentially problem at scale; i/o that could be a bottleneck

Hyper-v SPECjbb comparison

= 9 vms on VMware and hyper-v hypervisors

Outperform (CPU) by 50% - general purpose scheduler isn’t able to keep up? “got to be”

(cpu only test)

Also used VMmark – to demonstrate again that VMware is performance tuned and designed to run at scale vs Hyper-V

Size Does Matter:

Vmware ESXi: 32MB

Hyper-v – 2.6 GB

Xen – 1.2 GB

Hyper-V uses Microsoft Server Core – so the last two Patch Tuesdays had to make changes to Server Core (nothing to do with Hyper-V) but service interruption for Hyper-V.

VMware VMsafe – “Provides an unprecedented level of security” “virtual is more secure than Real” (uh oh – clearly didn’t read about the

*****************

VMware TEST:512 mb vms on server w/ 4gb ram –

7 vms - xensource (w/no memory overcommit)

6vms – hyper-v before error (w/no memory overcommit)

14vms - w/memory overcommit and management

Running sql io sim – heavy workloads

TCO – not just license; now ESXi is free – so hardware

809 - ESXi

871 – vi3 foundation ($995)

1168- vi3 enterprise ($5750)

1621 – hyper-v – 2x cost because of hw

Xen – 1618

Memory overcommit (89% in production vs. test/dev)

Survey – 37% of respondents at 2:1 RATIO OR HIGHER; real average is around 1.8: 1

*********************

This guy Mark sounds like a used car salesman:

“Always On, On Demand Data Center”

Hypervisor is very important but what is more important are the v-services on top of this. Manage shared, pooled resources. “Value Above the Hypervisor”

How does all this save “your customers” $$?

VMotion – saves cost on planned maintenance: no more overtime, no more time scheduling maintenance windows (see cost framework below)

10 (# of servers) x 6 (@ of updates) x [ (overtime cost 2hrs x $150/hr) + (scheduling downtime # of apps per server 15 x time spend scheduling per app 0.75 hr x $50/hr)] = $58,500

Same thing with using VMware Storage VMotion

Overtime cost + scheduling downtime + planning move + alternative tool cost - $68,750 (2.5 TeraBytes)

The Value of High Availability

- cost of lost business, lost work

- cost of lost productive time

4 hours of downtime x # of users per vm 10 x number of vms per host 15 x cost of user productive time $50/hr x failures per year in 10-host cluster 2 = $60K

(10 servers, 150 vms)

SAVINGS (using enterprise version)

Update management 149,760

HA 60K

DRS, VMotion Storage VMotion 187,250

808,259 – hw, power cooling, etc.

At TechEd this year, I gave a presentation called "21st century networking: time to throw away your medieval gateways." (Actually, I've given this same talk before, at events in Amsterdam, Brussels, Oslo, and numerous on-campus customer meetings. It's time to bring the knowledge to the masses.)

I described an idea of using IPv6, IPsec, NAP, and group policy to build a pretty slick replacement for clunky VPN gateways. Turns out we've been piloting this very idea on our internal corpnet. Like a good little bunny I got myself enrolled in the thing and -- pardon the unattractive gushing -- this thing rawks! Here's a brief rundown of the parts you'd configure on managed clients:

• Windows Vista Business (with Software Assurance), Enterprise, or Ultimate editions
• That are domain-joined
• Users run as non-admin
• Group policy applies numerous settings
• UAC is enabled
• BitLocker is configured to protect confidential information stored offline
• The Windows Firewall is enabled
• NAP is used for checking health
• Forefront Client Security for keeping malware off the box
• Smart cards for strong authentication of users
• IPsec is required for connection authentication and traffic encryption
• IPv6 is required for worldwide Internet connectivity
• A DNS suffix search list represents the data center name space
• Static IPv6 DNS servers provide name resolution for hosts in the data center

What does this give you? True anywhere access, anywhere in the world, directly to corpnet resources from managed and secure client PCs. The Internet has replaced private WAN links for good reason: enormous cost benefits. The only thing holding us back from fully utilizing this development has been a lack of way to enforce and monitor the security of clients not physically located within the corpnet. Well, those days are over. Now you can build PCs that are trusted just as if they were on the corpnet, without knowing or caring anything about the underlying network connections. And let me tell you, it's as addictive as a few other substances I could mention, but will refrain, since this is (I hope) a family blog :)

Maybe you've heard of the notion of "deperimeterization." Taken to its extreme, I think it's a bit silly. To put a SQL Server directly on the Internet is just plain stupid -- not because I don't think I could keep it protected, but simply because that's unnecessary risk. Only my web server -- and no one else -- should be talking to my SQL Server. But that web server will be in the same subnet as the SQL Server, and IPsec policies used also here will govern who can connect to the SQL Server. Warning to any and all network DMZs: your days are numbered!

Shrink your perimeter to that which really matters -- your data center. All your clients live (as we would say in the olden days) "on the outside of the firewall." Now then, there are two kinds of clients. Managed clients, as I described above, establish IPsec-authenticated/encrypted, group-policy-configured, NAP-enforced IPv6 connections directly to corpnet resources without going through any kind of access gateway. The router connecting you to your ISP is fully sufficient for blocking denial of service attempts. Be sure to follow my advice in "Configure your router to block DOS attempts," and then add two more rules to permit incoming port udp/500 and IP protocol 50 over IPv6. That's it. No NATing or other unnatural network acts are required (finally, you can stop lying to your significant other about why you squirrel yourself away in the computer room all those weekend nights).

Unmanaged clients will continue to use IPv4 to access published Web and Win32 applications through a gateway like IAG. Since you can't trust these clients nor can you trust the data they're throwing at you, you have to inspect and validate at the perimeter. You can take advantage of IAG's application-modifying capabilities to "wrap" security around poorly-written web apps; you can even download an ActiveX control to unmanaged clients to perform some basic health checking, policy enforcement, and cache clearing. None of these eliminates the final requirement to continue inspecting and removing malware from servers where users store data: Exchange, SharePoint, Office Communications Server, and file servers.

Machines are mobile, data is mobile. The mainframes and large desktop PCs of the past posses an effective security attribute: the heaviness of the machines. You couldn't easily saunter out the front door with a PC-AT in your pocket! These days, we all line our pockets with tiny little mobile phones stuffed with 16GB of storage. It's now a fact: data moves. And like water, data moves wherever it can, as rapidly as it can, often beyond your control if you don't prepare for that. With properly-configured and managed clients we can enjoy a single access and authentication experience no matter where the computer is physically located. For example: I can sit in my house and enter '"http://internal-web-site-name" in my browser. The DNS suffix search list adds the appropriate suffix, my browser's resolver performs an IPv6 name lookup, and my computer makes an authenticated and encrypted connection, after it meets the NAP policy, directly to that internal server. Very nice. As far as I'm concerned, there's no difference between the Internet and my corpnet. It's all just there.

For a while now many of you know I've been speaking and writing, mostly at the conceptual level, about the day when such a way of remote computing will arise. Well, my friends, that day is now. You can indeed build it now, with the products you have. I won't admit it's all peaches and cream: there's a fair number of moving parts here, it's true. But most of these moving parts are parts you're already familiar with: I'm simply encouraging you to move them in a specific way. You'll need to do some custom scripting for client-side connection diagnostics, but that's about it.

My next step is to create a more detailed guide, which I plan to publish through TechNet Magazine. I'm targeting (but not promising) the October issue. The article will include greater details about configuring your infrastructure to support the managed clients I describe.

I've lost track of the swelling number of individual conference attendees and the plethora of email writers who've expressed a desire to build this in their own environments. The one common thread from everyone is "I want to do it now!" Folks, it's really pretty exciting for me to see so many of you ready to cross the chasm from the perdition of paleo-networking (layer upon endless, complex layer of DMZs) into the paradise of flat, simple, cheap, and secure access to information. If you haven't yet, please take the time to read through some of our information (especially Scott Charney's paper) on end-to-end trust. Friends, the idea I describe above is the plumbing for realizing the end-to-end trust vision.

Blogger: Dan Blum

One of our service directors likes to quote William Gibson: “The future is here, it’s just unevenly distributed.”

At Microsoft’s Server and Tools Business (STB) Analyst and Tech Ed conferences last week, I saw a vendor and a user community living in the past, present and future with many unevenly distributed capabilities.

In a session on identity management strategy, for example, Microsoft discussed a variety of initiatives. These range from Card Space (futuristic implementation of user-centric Information Card specifications) to ADFS (present day enterprise federation support, though unfortunately lacking full SAML capabilities) to self-service password reset exposed through Office (decidedly backward-looking as this functionality has been available from many vendors through browsers for many years).

In another session on rights management and SharePoint, Microsoft highlighted the opportunity to configure SharePoint libraries to automatically apply Active Directory Rights Management Services protections on downloaded documents. Digital rights management (DRM) is controversial and no strong guarantor of confidentiality. Nonetheless, it is a  way to put futuristic self-protecting wrappers on content so as to prevent its accidental leakage or misuse by honest, cooperative users. Because it’s not something that can resist certain types of malicious attackers, many security professionals look down their noses at rights management. Nonetheless, preventing accidental misuse of enterprise information is a big part of the space. It was clear from the number of people in the room asking intelligent questions suggesting realistic expectations that customers see potential value for this technology.

Finally, I was impressed by a presentation on IPSec, PKI and NAP by a Brazilian university IT manager named Rodrigo Imaginario. Starting three years ago, the university combined its student and administrative networks into a single network. Yet servers running ERP and containing administrative content (such as grading information) need to be protected from a subset of students going through their hacking stage. Imaginario implemented a logical security zoning overlay on top of the network using IPSEC in Windows. In the restricted zone, servers only accept connections from Kerberos-authenticated IPSEC clients in the administrative domain. Today, the authentication is being upgraded to use PKI for secure, all campus wireless networking. Imaginario indicated the university took the Windows IPSEC route approach because no additional software had to be purchased. Configuration was difficult, he said, but will get easier with Windows Server 2008. This sounds like an idea whose time has come.

Blogger: Dan Blum

One of our service directors likes to quote William Gibson: ???The future is here, it???s just unevenly distributed.???

At Microsoft???s Server and Tools Business (STB) Analyst and Tech Ed conferences last week, I saw a vendor and a user community living in the past, present and future with many unevenly distributed capabilities.

In a session on identity management strategy, for example, Microsoft discussed a variety of initiatives. These range from Card Space (futuristic implementation of user-centric Information Card specifications) to ADFS (present day enterprise federation support, though unfortunately lacking full SAML capabilities) to self-service password reset exposed through Office (decidedly backward-looking as this functionality has been available from many vendors through browsers for many years).

In another session on rights management and SharePoint, Microsoft highlighted the opportunity to configure SharePoint libraries to automatically apply Active Directory Rights Management Services protections on downloaded documents. Digital rights management (DRM) is controversial and no strong guarantor of confidentiality. Nonetheless, it is a  way to put futuristic self-protecting wrappers on content so as to prevent its accidental leakage or misuse by honest, cooperative users. Because it???s not something that can resist certain types of malicious attackers, many security professionals look down their noses at rights management. Nonetheless, preventing accidental misuse of enterprise information is a big part of the space. It was clear from the number of people in the room asking intelligent questions suggesting realistic expectations that customers see potential value for this technology.

Finally, I was impressed by a presentation on IPSec, PKI and NAP by a Brazilian university IT manager named Rodrigo Imaginario. Starting three years ago, the university combined its student and administrative networks into a single network. Yet servers running ERP and containing administrative content (such as grading information) need to be protected from a subset of students going through their hacking stage. Imaginario implemented a logical security zoning overlay on top of the network using IPSEC in Windows. In the restricted zone, servers only accept connections from Kerberos-authenticated IPSEC clients in the administrative domain. Today, the authentication is being upgraded to use PKI for secure, all campus wireless networking. Imaginario indicated the university took the Windows IPSEC route approach because no additional software had to be purchased. Configuration was difficult, he said, but will get easier with Windows Server 2008. This sounds like an idea whose time has come.