Professional Documents
Culture Documents
Network access
By default, each instance (virtual machine) provisioned in
IBMSmartCloud Enterprise is assigned one or more publicly
routable IP addresses and is accessed via the Internet. An
optional offering of IBMSmartCloud Enterprise is a VPN
service. Each optional VPN provides an Internet Protocol
Security (IPsec)-based VPN tunnel over the Internet between
a clients IPsec capable gateway and one IBMSmartCloud
Enterprise data center. With the VPN option, the client
receives a private Virtual Local Area Network (VLAN). With
the VPN option, when the client provisions an instance, the
client is able to choose between provisioning the instance on
the public VLAN or the private VLAN. The VPN option
provides the client with encrypted communication of data
over the Internet and an additional level of isolation within
the IBMSmartCloud Enterprise virtual network.
With the VPN option, a client may provision an instance that
spans both the public VLAN and the clients private VLAN.
This ability allows for greater exibility in creating tiered
deployment architectures in the cloud. This capability should
be protected using software rewalls (either those that come
with the operating system or from a third party) to limit both
host and port access.
Data control
As stated previously, the default access to the virtual machine
operating system is to allow full privileges to the clients. As a
result, clients have full control over how data is handled
within their cloud environments. Clients can implement any
software tooling to move data and are responsible for the
maintenance of that tooling and administration of any access
controls. Clients may want to consider additional security
measures for their data such as le system encryption.
As a policy, IBMdoes not move or migrate a clients provi-
sioned resources (for example, images, images, persistent stor-
age, and so on) from one data center to another. When the
clients provision a resource, they choose which data center
that resource is provisioned in. This policy may be important
to clients that have security concerns with data moving
outside of certain geographies.
High availability
Clients can set up and congure high availability after having
provisioned their virtual server environment. High availability
is a key area of interest for organizations embracing cloud
computing. High availability also has a number of areas that
need to be addressed to ensure a high-availability application
on the cloud, such as network vulnerability, multisite redun-
dancy and storage failure. But one of the most important
areas is IP failover. Utilizing virtual IP addresses for their vir-
tual machines can enable clients to eliminate single points of
failures and to design a highly available IT infrastructure.
Addressing high availability for cloud
environments
The requirement to protect a production-grade IT system
or application against a failure of any node is not new by any
standard, and has been addressed in many software products.
Yet these software products are, by and large, not compatible
with many cloud offerings, and most public cloud providers do
not always provide the required functionality. As a result, users
need to complement the cloud deployments with high availabil-
ity constructs that exist outside the cloud.
To address these needs and concerns surrounding high avail-
ability, and to do so in a security-rich and expedient manner,
the IBMSmartCloud Enterprise offering has added support for
virtual IP addresses (vIPs) on the cloud virtual instances. In
addition to a regular static IP address, which each virtual
machine gets when it is set up, and that never changes, a
machine can dynamically assume one or several additional vir-
tual IP addresses. Because it is the application code that controls
the association between the vIPs and instances, the application
topology can adjust to a node failure very quickly, typically in
less than a second. Setup and conguration of high availability
for the IBMSmartCloud Enterprise can be performed solely
within your provisioned virtual machine environment.
11
IBMGlobal Technology Services June 2011
Technical White Paper
As an example, take a pair of virtual machines, Virtual Machine
A and Virtual Machine B, as shown in Figure 5. Each machine
has a static IP address. Both virtual machines are also cong-
ured to allow the dynamic assignment of a virtual IP address in
addition to the existing static one.
192.168.1.10
VM A
192.168.1.101
VM B
192.168.1.102
Figure 5. In addition to their static IP addresses, Virtual Machines A and B
are able to assume the virtual IP address 192.168.1.10 at run time.
The static IP addresses are used to administer and maintain the
machines. The virtual IP address is the one that is given to the
clients as the published application or server IP address.
To begin with, the virtual IP address is attached to the rst
machine. This rst machine handles all the service traffic. The
second machine is up and running and acts as a warm standby,
as shown in Figure 6.
192.168.1.10
IP trafc
VM A [active] VM B [passive]
2 0 1 . 1 . 8 6 1 . 2 9 1 1 0 1 . 1 . 8 6 1 . 2 9 1
Figure 6. The active/passive conguration: Virtual Machine A holds the vIP
and services of the traffic, while Virtual Machine B acts as a passive standby.
If the rst machine encounters a problem, slow-down or failure,
the virtual IP address is switched to the second machine. Now
the second machine serves all the traffic while the rst machine,
once repaired, becomes the warm standby, as shown in Figure 7.
Figure 7. The active/passive conguration: Virtual Machine B has assumed
the vIP and now services all traffic, while Virtual Machine A acts as a warm
standby.
The published address being the static address means that the
failure and switch are virtually seamless to the end userany-
where from a few seconds to a few minutes. Because the virtual
IP address can be transferred between different machines very
quickly, with careful programming, you could signicantly
reduce unplanned outages by having the IP address move at the
rst sign of trouble.
By supporting virtual IPs for virtual machines,
IBMSmartCloud Enterprise can help reduce system downtime
in the event of a virtual machine failure. By switching to a
backup virtual machine, the consumer can help ensure that dis-
ruptions are almost seamless to an end user.
Conclusion
Today, security is often listed as the number one concern
for clients considering cloud adoption. Cloud security issues
persistently rank above cloud reliability, network issues and
concerns about the economic payback of cloud. This concern
is immediately followed by high availability, a concept that
needs to be addressed for almost every production-grade
IT environment.
1
IP trafc
VM A [passive]
192.168.1.102
192.168.1.10
VM A [active]
192.168.1.101
Please Recycle
To fully benet from cloud computing, clients must ensure that
data, applications and systems are properly secured so that the
cloud infrastructure wont expose their organizations to risk.
Cloud computing comes with all the usual requirements of tra-
ditional IT security and availability, with an added level of risk
and complexity because of the external aspects. These risks call
for a comprehensive framework to security that helps ensure all
the different security domains work together in a holistic and
synergistic manner, in alignment with overarching business
objectives.
The IBMSmartCloud Enterprise offering builds on the skills,
best practices and assets developed through years of experience
managing and operating security-rich, reliable enterprise data
centers around the world. The infrastructure complies with
IBMsecurity policies, including regular security scans and
controlled administrative actions and operations. Within our
delivery centers, client data and virtual machines are kept in the
data center where provisioned, and the physical security is the
same as that for IBMinternal data centers.
The IBMSmartCloud Enterprise model does not provide a
one-size-ts-all solution that can solve all client concerns,
but it can provide appropriate levels of security and availability
for specic cloud needs. Drawing on a broad portfolio of
consulting services, software, hardware, and managed security
services, IBMSmartCloud Enterprise can help you successfully
implement a security-rich and highly available cloud computing
environment.
For more information
To learn more about IBMSmartCloud Enterprise, please con-
tact your IBMmarketing representative or Business Partner, or
visit the following website: ibm.com/cloud/solutions/enterprise
To learn more about implementing a security-rich
cloud environment, refer to the IBMRedpaper Cloud
Security GuidanceIBMRecommendations for the
Implementation of Cloud Security, REDP-4614, at
ibm.com/redbooks/abstracts/redp4614.html?Open.
To learn more about implementing high availability within
your IBMSmartCloud Enterprise environment, refer to the
IBMdeveloperWorks article High availability apps in the
IBMCloud at
ibm.com/developerworks/cloud/library/cl-highavailabilitycloud.
Copyright IBMCorporation 2011
IBMGlobal Services
Route 100
Somers, NY 10589
U.S.A.
Produced in the United States of America
June 2011
All Rights Reserved
IBM, the IBMlogo, ibm.com, developerWorks and Rational are trademarks
of International Business Machines Corporation in the United States,
other countries or both. If these and other IBMtrademarked terms are
marked on their rst occurrence in this information with a trademark
symbol ( or ), these symbols indicate U.S. registered or common law
trademarks owned by IBMat the time this information was published.
Such trademarks may also be registered or common law trademarks in
other countries. A current list of IBMtrademarks is available on the web at
Copyright and trademark information at ibm.com/legal/copytrade.shtml
IT Infrastructure Library is a registered trademark of the Central
Computer and Telecommunications Agency which is now part of the
Office of Government Commerce.
ITIL is a registered trademark, and a registered community trademark of
the Office of Government Commerce, and is registered in the U.S. Patent
and Trademark Office.
Other company, product or service names may be trademarks or service
marks of others.
1
Cloud Computing Attitudes, IDC, Doc #223077, April 2010.
MSW03010-USEN-00