A Technical Guide
to running VMware
based applications
in Google Cloud
Introducing Google Cloud VMware Engine 04
Architecture overview 05
Networking 07
Leverage innovative tools by VMware, Google, and trusted third-paies 09
Continuous monitoring while you focus on what maers 11
Updates and upgrades 13
Secured by design 14
Protecting critical data 15
Take the next step 16
Contents
2
Executive summary
Moving your VMware based applications to the cloud is oen
a complex and costly process. IT has to grapple with re-
architecting applications, changes to networking and tools,
and in many cases, app modication for those that are not
able to run in the cloud.
Google Cloud VMware Engine simplies cloud migration and frees IT
from the operational overhead of managing physical infrastructure,
helping reduce the operational burden and costs of migrating and
managing VMware applications. By migrating your VMware applications
to Google Cloud, you can continue to leverage your existing
investments in VMware, utilize the same tools, processes, and policies,
while increasing business agility, security and availability.
This paper provides deeper insights into how VMware Engine facilitates
migrating your applications to Google Cloud and helps you understand
the impact on networking, security, monitoring, and maintenance.
3
Back to contentsBack to contents
Introducing Google Cloud VMware Engine
Google Cloud VMware Engine is a fully
managed VMware-as-a-Service product
that enables businesses running on-
premises VMware workloads to seamlessly
migrate to Google Cloud without
needing to re-architect or refactor their
applications. Your VMware environment
– including its components vSphere,
vCenter, vSAN, NSX-T, and corresponding
tools – continues to run natively in a
dedicated and private, soware-dened
data center stack on Google Cloud’s
bare metal infrastructure located in
Google Cloud data centers. Essentially,
you get to leverage your existing VMware
investments, tools, processes, and skills
to maintain operational continuity, while
avoiding data center management,
hardware refreshes, and procurement
cycles. Vmware Engine is sold and
suppoed by Google and is VMware
‘Cloud Veried’.
Because VMware Engine is 100%
compatible with your VMware workloads,
many of your typical applications can be
migrated without change or having to use
a new application in the cloud. Common
workloads include Viual Desktop
Infrastructure (VDI) to enable employees
to work from anywhere, and moving DR
and Backup targets to the cloud to reduce
TCO. In addition to the ease of migration,
you can also benet from bringing
your existing data to Google Cloud and
leveraging high speed access to native
Google Cloud Services such as AI, ML,
Anthos and BigQuery.
This paper provides a technical overview
of VMware Engine, covering key features
and capabilities, in addition to highlighting
areas of consideration before you take
positive steps towards modernizing your
IT infrastructure.
4
Back to contents
Architecture overview
VMware Engine provides a dedicated private cloud, composed of a
hyperconverged compute, storage, and networking stack deployed on Google
Cloud infrastructure in various Google Cloud locations worldwide.
Each private cloud contains one instance
of the vCenter Server, which manages
multiple ESXi nodes contained in one or
more vSphere Clusters, along with the
corresponding Viual SAN (vSAN) storage.
VMware Engine is sold by the node, with
the minimum conguration of three nodes
up to a maximum of 64 nodes per private
cloud and you can create any number of
private clouds.
By running your workloads on a native
VMware environment running in a
dedicated VMware soware stack on
Google Cloud, you can migrate and run any
of your on-premise viualized workloads
in Google Cloud with no changes. You use
the same VMware tools you are already
familiar with – including vSphere, vCenter,
vROPS and vMotion, for example. All the
VMware licenses needed to run the service
are included: ESXi, vCenter, vSAN, NSX-T,
and HCX.
Each node consists of all the compute,
memory, and storage you need. The initial
node conguration is:
• CPU: Intel Xeon Gold 6240 (Cascade
Lake), 2.6 GHz (x2), 36 Cores,
72 Hyper-Threads
• Storage: 2 × 1.6 TB (3.2 TB) NVMe (Cache),
6 × 3.2 TB (19.2 TB) NVMe (Data)
• Hyperconverged design using vSAN
The all-ash NVMe-based storage can
suppo the speed and peormance
required for demanding workloads, such as
Oracle, SQL Server, SharePoint, Microso
Exchange Server, and VDI running on
VMware. VMware Engine also has the ability
to reduce the core count in the nodes to
align with licensing restrictions of third
pay soware.
5
Back to contents
Local storage on the hyper-
converged plaorm (vSAN)
It oers low-cost storage due
to compression and dedupe
abilities of vSAN (dependent
on data redundancy) while
providing single location high
availability
Multiple storage options
(e.g. Elastile Cloud Files,
NetApp Cloud Volumes)
These are good for primary
or secondary (backup)
storage due to single
location availability and
lower costs
Google Cloud Storage
This is best for secondary
storage, image les, ISOs,
and so foh. It can oer
the lowest cost and largest
variety of storage options
across multiple regions
Customers have various service options for storage targets, including:
6
Back to contents
Networking
Networking is a key feature of the service, providing high speed, secure access
to your applications as well as secures all trac between your applications and
Google Cloud Services. You can provision NSX-T network overlays (and their
subnets), create rewall tables, and assign public IP addresses that map to a viual
machine running in your private cloud.
Google suppos the following connectivity options to connect to your VMware Engine region
network, multiple of which can be used at the same time:
Direct Interconnect
connection from your on-
premises data center to
VMware Engine on Google
Cloud region network
This is a high-speed, low-
latency, secure private
connection that bridges
your on-premises circuit
to your Google Direct
Interconnect circuit.
Direct Interconnect
connection from your
viual private cloud to
your VMware Engine
region network
This is a high-speed, low-
latency, secure private
connection that uses
viual network gateways to
bridge your viual network
on Google Cloud to your
VMware Engine circuit.
Cloud VPN securely
connects your peer
network to your viual
private cloud (VPC) network
through an IPsec VPN
connection
Trac traveling between the
two networks is encrypted
by one VPN gateway, and
then decrypted by the other
VPN gateway. This protects
your data as it travels over
the internet. You can also
connect two instances of
Cloud VPN to each other.
7
Back to contents
Google Direct Interconnect or VPN are suppoed for
communicating with and migrating workloads to your
dedicated cloud. Point-to-Site VPN is suppoed
for remote/quick access to VMware Engine and you
can control which users can access the VMware
environment.
The service provides fully redundant networking
(via multiple TORs) and direct integration into
your dedicated cloud, enabling the use of Cloud
Interconnect and Cloud VPN. Fuher, it is integrated
in Google Cloud billing, identity management, and
access control to simplify management.
Each node includes four NICs operating at 25 Gbps
throughput each for a total of 100 Gbps, providing
high-speed, low-latency access to services via VPC
peering. For example, you can deploy your customer
database in a dedicated cloud and access the
application servers in Google Cloud with millisecond
response times.
Questions to
consider
How do you intend to
connect your applications
to Google Cloud; via Direct
Interconnect or VPN?
Do you want high-speed,
low-latency access to these
innovative products and
services?
1
1
1
2
8
Back to contents
Leverage innovative tools by Google,
VMware and trusted third-paies
Another poweul advantage of VMware Engine is that it
enables access to the entire vSphere ecosystem of trusted
third-pay IT management tools, as well as the complete core
vSphere plaorm and its default inteace, vCenter.
You can leverage a wide array of capabilities – including provisioning,
monitoring, suppo, inventory management, backup and disaster
recovery, security, network and IP address management, identity
management – all of which are managed through a single pane of glass.
For backup and disaster recovery, we’re currently working with the
following paners to integrate their oerings with the service: Cohesity,
NetApp, Veeam, and Zeo.
VMware Engine oers privilege elevation, which allows you to install and
manage third pay applications which require administrative access to
vCenter. At your request, your privileges can be upgraded for up to a
24-hour period to make limited conguration changes to the vCenter,
aer which the environment is automatically locked for security.
Applications like Zeo for DR are fully suppoed with this feature.
9
Back to contents
On-boarding and migrating
workloads via VMware HCX
and vMotion
The service suppos all standard VMware migration
tools like vMotion and HCX. vMotion is best for
migrating individual workloads without interrupting
the service. In this deployment scenario, you connect
your private cloud to your on-premises environment
using a dedicated interconnect tunnel that allows
on-premises management and vMotion subnets to
communicate with the private cloud management
and vMotion subnets. This allows for Cross vCenter
vMotion (xVC-vMotion).
A full HCX license is also included, allowing you
to migrate workloads en masse, while enabling
L2 connectivity and vMotion or Storage vMotion
workows without changing the IP address. The
time to execute migrations is based on the number
and size of your workloads, as well as the speed and
bandwidth of your connectivity.
Questions to
consider
Do you want to take
advantage of the most
innovative products and
services in the market that
are fully compatible with your
infrastructure?
Do you want high-speed,
low-latency access to these
innovative products and
services?
1
1
1
2
10
Back to contents
Continuous monitoring while
you focus on what maers
For IT teams, monitoring the peormance and
availability of operating systems, middleware, and
applications running across physical, viual, and
cloud environments internally is complex and time-
consuming, making it unfeasible to innovate.
With VMware Engine, the level of probes and error
logs best-suited for your business is established
automatically. The solution has a continuous
peormance monitoring subsystem so that issues
can be detected and resolved quickly. For example, if
a hardware failure is detected, a new node is added to
your private cloud and the failed node is removed.
Maintenance, Patches, Upgrades, and
Change Windows
As with any cloud service, taking time to patch and
upgrade the underlying soware is critical to ensuring
security and access to the latest features. Google
Cloud has a standard process we are commied to for
patching the underlying VMware soware. All of the
patching for applications and soware running on the
VMware environment is the user’s responsibility.
Questions to
consider
Do you want the ability to
increase or decrease capacity
on demand?
Do you want to optimize
capacity expenditure?
1
1
1
2
11
Back to contents
Backend/internal maintenance
System maintenance typically involves
reconguring physical assets or installing
soware patches. It doesn’t aect normal
consumption of the assets being serviced.
With redundant NICs going to each
physical rack, normal network trac and
private cloud operations aren’t aected.
You might notice a peormance impact
only if your organization expects to use
the full redundant bandwidth during the
maintenance interval.
Poal maintenance
Some limited service downtime is required
when the control plane or infrastructure is
updated. Currently, maintenance intervals
can be as frequent as once per month.
The frequency is expected to decline over
time. Notication is provided for poal
maintenance and eos are made to keep
the interval as sho as possible. During a
poal maintenance interval, the following
services continue to function without any
impact:
• VMware management plane and
applications
• vCenter access
• All networking and storage
VMware infrastructure maintenance
Occasionally it’s necessary to make
changes to the conguration of the
VMware infrastructure. Currently, these
intervals can occur every 1-2 months, but
the frequency is expected to decline over
time. This type of maintenance can usually
be done without interrupting normal private
cloud consumption. During a VMware
maintenance interval, the following services
continue to function without any impact:
• VMware management plane and
applications
• vCenter access
• All networking and storage
12
Back to contents
Questions to
consider
Do you want to ensure your
applications and hardware
peormance are continuously
monitored while you focus
on more impoant business
initiatives?
Do you want to ensure issues
are detected and resolved
quickly and comprehensively?
1
1
1
2
Updates and upgrades
Google is responsible for lifecycle management
of VMware soware (ESXi, vCenter, vSAN, PSC,
and NSX) in the private cloud.
Soware updates include:
Critical security patches are tested as soon as
they become available from VMware. Per our SLA,
the security patch is rolled out to private cloud
environments within a week.
Quaerly maintenance updates apply VMware
soware components. When a new major version
of VMware soware is available, we work with
customers to coordinate a suitable maintenance
window for upgrade.
Patches
Security
patches or bug
xes released
by VMware.
Updates
Minor version
change of a
VMware stack
component.
Upgrades
Major version
change of a
VMware stack
component.
13
Back to contents
Secure by design
Since all the edge-type networking services
of VMware Engine – including VPN, public
IP, and internet gateways – run on Google
Cloud, they inherit the baseline network
security and DDoS protection provided by
Google Cloud. This applies to both Google
Cloud and the dedicated private VMware
environment.
In paicular, VMware Engine has separate Layer-2
networks that restrict access to your own internal
networks in your private cloud environment. You can
easily dene east-west and noh-south network
trac control rules for all network trac, including
intra-private cloud trac, inter-private cloud trac,
general trac to the internet, and network trac to
on-premises.
Security is additionally delivered at the hardware level.
As pa of the service, all customers get dedicated
bare metal hosts with local aached disks that are
physically isolated from other hardware. An ESXi
hypervisor with vSAN runs on every node and the
nodes are managed through customer-dedicated
VMware vCenter and NSX.
Questions to
consider
Do you want a service that
guarantees multiple layers of
network security?
Do you want the ability to
manage network security
easily, eciently, and reliably?
1
1
1
2
14
Back to contents
Protecting critical data
With VMware Engine, you can ensure data at
rest and data in transit are protected.
Data at rest in the private cloud environment can be
encrypted using vSAN soware-based encryption. This
type of encryption works with ceied third-pay key
management servers located in your own network or
on-premises, and you can easily control and manage
the encryption keys yourself.
For data in transit, applications are expected to encrypt
their network communication within the internal
network segments. vSphere suppos encryption of
data over the wire for vMotion trac.
To protect data that moves through public networks,
you can create IPsec and SSL VPN tunnels for your
private clouds. Common encryption methods are
suppoed, including 128-byte and 256-byte AES. Data
in transit – including authentication, administrative
access, and customer data – is encrypted with standard
mechanisms, such as SSH, TLS 1.2, and Secure RDP.
Questions to
consider
Do you want to ensure data at
rest and data in transit across
your cloud environments can
be reliably protected?
Do you want access to
best-in-class security
capabilities from VMware
and Google Cloud?
1
1
1
2
15
Back to contents
© 2020 Google LLC. 1600 Amphitheatre Parkway, Mountain View, CA 94043.
Take the next step
Regardless of what your “why” is, it is impoant that any technology
you adopt is aligned with the goals, needs, and objectives of the
business. There is no one-size-ts-all model that can be implemented
across the board. This is why you need a comprehensive solution that
can adapt to and grow with your business.
So, tell us what you’re solving for and one of our expes will help you
nd the best solution.
For detailed specications, visit the Google Cloud VMware Engine
website or contact sales.
Google Cloud VMware Engine is veried by VMware.
VMware and Google are trademarks of VMware and Google respectively.
Back to contents
