Category: News

Jan 24 2017

How to find out which storage vendors support VVol replication in vSphere 6.5

vSphere 6.5 introduced support for VVol replication but on day 1 of the vSphere 6.5 GA there wasn’t a single storage vendor that supported it. VMware has a special Compatibility Guide category specifically for VVol support that shows which storage vendor arrays support VVols and additional information on supported array models, firmware and protocols. One additional piece of information in those listings is a field labeled Feature, this field is used to indicate support for additional VVol special features, it is not intended to display array capabilities that are exposed to VVols.

Prior to vSphere 6.5 I have only seen 2 types of features displayed in some vendor listings, Multi-vCenter support and VASA Provider High Availability support. The Multi-vCenter support simply means a storage array can support connecting to multiple VASA Providers when you have more than one vCenter Server in your environment. The VASA Provider High Availability support was mainly intended for external VASA Providers to indicate they had some type of mechanism in place to protect the VP in case of a failure (i.e. VM down).

Now with vSphere 6.5 there is a new feature listing called VVols Storage Replication which is an indication that a storage array supports the new VVol replication capability in vSphere 6.5. Note that a storage array can be certified to support VVols in vSphere 6.5 but unless they have the VVols Storage Replication feature listed they do not support VVol replication.

As of today there are only 7 storage vendors that are listed as supporting VVols in vSphere 6.5: Fujitsu, HPE, HDS, Huawei, IBM, NEC and Nimble, at the vSphere 6.5 launch there were only 4. but there is currently only one storage vendor that supports VVol replication, which is Nimble. For comparison purposes there are 17 storage vendors listed as supporting VVols in vSphere 6.0. So while support for VVols replication is now available, most storage vendors are not ready to support it yet. Having seen first hand the amount of engineering effort it takes to support VVols replication I can understand why I can count on my nose the amount of vendors that support it.

Another potential speed bump for customers wanting to implement VVol replication is the very limited documentation and support for performing replication related operations such as planned and unplanned failover, failback and failover testing. VMware introduced some new PowerCLI cmdlets to do some of these operations, but customers have to write their own scripts to make it work and it can get a bit complicated to do so especially when trying to recover from an unplanned failover. Currently there is no support for vRealize Orchestrator or vCenter Site Recovery Manager with VVol replication to help automate those operations. There is also currently no support for doing a test failover via PowerCLI.

I know VMware is working to try and get some sample scripts and documentation around this as well as expand PowerCLI support and integrate it into SRM. The only documentation I have been able to find so far is this page from Nimble Storage which has some good information about their implementation of VVols replication. So if you are anxious to start using VVol replication check with your storage vendor to see where they are at with it, I suspect you will see support slowly trickle out among the storage vendors, I know of one storage vendor in particular that will be supporting it fairly soon.

It’s great to see VVols evolve to support replication as it was a key missing feature that was holding some people back from using VVols. Now that VMware has delivered VVol replication support as part of VASA 3.0 in vSphere 6.5 the ball is in the storage vendors court to enable it within their arrays. As VVols continues to mature I look forward to seeing more hands go up when I’m speaking to groups and asking who is using it as there are a lot of great benefits to using the VVols storage architecture.

Share This:

Jan 23 2017

Coming soon: Top vBlog 2017 with a new scoring method

I’m back in the saddle after taking a few weeks off to recharge and preparing to launch my annual Top vBlog voting. This year brings some big changes as to how blogs are scored, instead of just relying on public voting which can become more about popularity and less about blog content, I’m adding several other scoring factors into the mix. By doing this scores will reflect the efforts a blogger puts into their blog and not just be about how popular a blogger is. The total points that blogger can receive through the entire process will be made up of the following factors:

  • 60% – public voting – general voting – anyone can vote – votes are tallied and weighted for points based on voting rankings as done in past years
  • 20% – private judges scoring – chosen judges who will grade a select group of blogs based on several factors, combined rankings will equal points
  • 10% – number of posts in a year – how much effort a blogger has put into writing posts over the course of a year based on Andreas hard work adding this up each year (aggregator’s excluded)
  • 10% – Google PageSpeed score – how well a blogger has done to build and optimize their site as scored by Google’s PageSpeed tools, you can read more on this here where I scored some of the top blogs.

All combined the above methods will be scored and the total points added up to determine the top bloggers. The mix of public voting and private scoring is similar to how VMworld session submissions are scored. I’m still working on the point formula for the various scoring methods but I believe this will be a very fair system to help recognize those bloggers that deserve it most. I will be looking for 8-10 private judges who will be given a group of 20-30 blogs to score. Once again the 10 minimum blog posts rule in 2016 will be enforced to be eligible to be on the Top vBlog voting form (about 220 blogs make it this year).

And thank you once again to Turbonomic for sponsoring Top vBlog 2017, stay tuned!

Share This:

Dec 14 2016

Is it VSAN, vSAN, VVols, vVols or what?

If there is one thing VMware tends to be consistent at, it is changing the case of their product & feature acronyms. I’ve seen the acronyms for both Virtual SAN and Virtual Volumes done many different ways. One reason for that is VMware periodically changes the case of their acronyms, in the case of Virtual Volumes in the early days VMware had it at VVOLs and then vVols and now it’s VVols. With Virtual SAN I’ve seen it VSAN and vSAN so let’s cover what is right and wrong right now according to VMware.

Virtual Volumes is largely referred to as Virtual Volumes in most VMware documentation, they do abbreviate it though and the official abbreviation is VVols. So the correct wording/case is VMware Virtual Volumes or VMware VVols.

Virtual SAN on the other hand is no longer being referred to as Virtual SAN, VMware officially now calls it VMware vSAN, the longer name “Virtual SAN” has been officially end of lifed.

Vendors have the fun job of updating all their product documentation and collateral that references the old name/case. So now you know the correct way to spell and use those product names until next time when the VMware marketing machine decides to change them again.

Share This:

Dec 12 2016

Top 10 things you must read about vSphere 6.5

There have been so many documents, white papers, videos and blog posts about the vSphere 6.5 release that it’s hard to keep up with them all. Fortunately you don’t have to as I have over 300 links gathered in my vSphere 6.5 Link-O-Rama and it is still growing. With so many links it’s easy to miss some of the really good ones so I thought I would put together a top 10 list of my hand picked links that highlight the best ones that you don’t want to miss. If you are looking to upgrade to vSphere 6.5 or just want to find out what you are missing out on you are definitely going to want to read these. You can start out with my quick summary of everything that is new in vSphere 6.5 and the configuration maximum changes in vSphere 6.5 and then continue on below for much more…

1 – The official VMware What’s New in vSphere 6.5 series

Traditionally VMware releases a slew of What’s New white papers to support a new vSphere release that cover specific areas (i.e. storage, platform, networking, etc.). This time around VMware released a lot of blog posts instead of publishing white papers that cover the new features and enhancements in a lot more detail than their standard one page overview document that covers them at a high level. Be sure and give these a read as they provide good in depth information written by the VMware technical experts that will help you better understand the changes and new things in vSphere 6.5:

2 – You can now natively encrypt VMs in vSphere 6.5, find out how

VM-level encryption has been a long awaited feature and it’s finally here in vSphere 6.5. While it’s fairly easy to encrypt a VM using Storage Policy Based Management (SPBM) the setup of the vSphere environment to support encryption can be a bit complicated. Key management servers must be leveraged for encryption so before you dive into encryption learn how to do it properly and understand the impacts on performance that encryption will have. The below links will get you started on working with encryption in vSphere 6.5:

3 – HA & DRS get some nice enhancements, find out how you can use them

The vSphere High Availability (HA) & Distributed Resource Scheduler (DRS) features have been around all the way back to VI3. HA & DRS are features that we take for granted and are at the very core of vSphere and invaluable to maintaining a resilient and efficient virtual environment. Over the many vSphere releases between now and then there have been some tweaks and enhancements as to how those features function. Now in vSphere 6.5 there are some new enhancements that teach those old dogs some new tricks, read all about it here mostly courtesy of VMware’s Brian Graf:

4 – Virtual Volumes (VVols) goes 2.0 in vSphere 6.5 and it’s all about replication

VMware VVols, the next generation vSphere external storage architecture was first introduced as part of vSphere 6.0 as a better alternative to VMFS. Now in vSphere 6.5 it has matured and is essentially is a 2.0 architecture with support for array-based replication and some additional enhancements. If you haven’t checked out VVols yet I highly encourage you to give it a look, there are a lot of benefits to using it as it provides storage arrays with VM-level granularity which is integrated with vSphere3s SPBM system. The below links cover what is new with VVols in vSphere 6.5 (mainly replication) and if that leaves you wanting to know more be sure and check out my huge VVols link page:

5 – Automatic space reclamation (UNMAP) is back, learn how it’s changed in vSphere 6.5

Way back in vSphere 5.0 VMware introduced support for automatic space reclamation which allowed vSphere to send UNMAP commands to a storage array so space from deleted or moved VMs could be un-allocated (reclaimed) on the storage array. Shortly after this feature was introduced problems started surfacing and as a result VMware disabled UNMAP support and made it a manual process using CLI commands. While this worked it took quite a while to execute and was very resource intensive on the array. In vSphere 6.5 they have again made it an automatic operation but not in the same way as before as it operates in the background based on priority levels that can be set on VMFS datastores. Find out everything you need to know about getting your disk space back at the following links:

6 – The vCenter Server Appliance gets a big overhaul in vSphere 6.5 including native HA

Ever since vSphere’s core management component, vCenter Server (VCSA) was introduced as a virtual appliance years ago VMware has steadily been improving the scalability, availability and management of it. With the vSphere 6.5 release the VCSA takes a big step forward introducing built-in high availability support (VCHA), integrated Update Manager, new management interface, native backup & restore options and much more! In addition the VCSA has been containerized as well and is the first VMware appliance to run on their new Photon OS. So you have plenty to learn about VCSA and VCHA so dive right in and start a learning at these links:

7 – VSAN continues to evolve in vSphere 6.5 with support for iSCSI

With the vSphere 6.5 release VSAN turns 2 1/2 years old and it’s remarkable how far it has come in that time frame. Unlike previous versions there isn’t a huge list of things that are new with this release of VSAN but that doesn’t mean that there are not some big things in it. Here are some links that will deep dive into what’s new in VSAN version 6.5:

8 – VMFS & Storage I/O Control change in vSphere 6.5, find out the details

vSphere 6.5 has introduced a new VMFS version 6 and there are a few changes in it compared to VMFS version 5 that you should be aware of especially when upgrading from a previous vSphere version or operating in a mixed vSphere version environment. Storage I/O Control (SIOC) has been am around for quite a while but it got a big overhaul in vSphere 6.5 as it now leverages the new vSphere API’s for I/O filtering (VAIO) and Storage Policy Based Management (SPBM). The following links cover the differences between VMFS5 & VMFS6, upgrade considerations and how SIOC works in vSphere 6.5:

9 – R.I.P. vSphere C#, welcome HTML5 Web Client, hello frustration managing vSphere 6.5

Now that vSphere 6.5 is here VMware delivered on their promise to eliminate the C# client in vSphere 6.5 in lieu of the new HTML5 client that they have been working on to replace the current flash-based vSphere web client that everybody hates on. The new HTML5 web based client is much faster then the old flash client and is a great improvement but the only problem is that its only half done and has a lot of limitations right now. Give the following links a read to understand what awaits you while trying to managing vSphere 6.5:

10 – The VMware Knowledge Base is full of all sorts of useful info on vSphere 6.5

The VMware Knowledge Base has more than just solutions to problems, it also has a lot of great information and how-to articles as well. Quite literally the VMware KB is a fountain of information that contains dozens of great informative articles specific to vSphere 6.5. This includes articles that will help you with upgrading and installing vSphere 6.5 as well as tons of great tips, gotchas and solutions to issues. So before you even touch vSphere 6.5 save yourself some frustration by reading through the VMware KB and I guarantee your journey to vSphere 6.5 will be much smoother. Here’s just a few of the valuable vSphere 6.5 links that you will find inside the VMware KB:

So there you have it, the top 10 things you should read about vSphere 6.5, I’m sure I missed some other great ones as well so feel free to shout out in the comments some additional links that you feel people must read. Also be sure and bookmark my vSphere 6.5 Link-O-Rama, new links are added daily and you will find almost everything you need there to get you going with vSphere 6.5.

Share This:

Dec 09 2016

My NetGear Orbi review

I have seen other bloggers writing about their experiences with home wifi, particularly with the new mesh wifi systems like Eero, Orbi and Luma, so I thought I would throw mine out there as well. My last few routers have all been Asus routers, I tend to by the biggest one I can get to get coverage in all areas of my home. My old Asus RT-AC87U router is located in my man cave which is in the basement of my ranch house and all the way at one end of the house. Because of this placement it makes getting a good strong signal upstairs and at the other end of the house a little difficult. I’ve tried various methods to extend the wifi in the past including using power line adapters and wifi repeaters, they’ve always been a little flaky so I always try and just buy a big router instead.

I’ve seen the mesh wifi routers becoming more popular, there big selling point is that everything is seamless to install and configure, you don’t have to mess with setting up multiple routers in bridge mode or anything else, you just plug them in and they all work together to form a big wifi mesh network. I started looking at the 2 that had been out for a while, Eero and Luma and they seemed fairly decent but had mixed reviews. Then I saw that NetGear had come out with their own, the Orbi. I had intended to just upgrade to another big honkin router, the Nighthawk X6 AC3200 but the Orbi caught my eye and was getting very good reviews so I thought I would give it a try instead.

One thing that stood out with the Orbi is it’s dedicated backhaul, which is the connection between the main router and the satellite routers, other mesh wifi systems use the same radios that is used for user traffic for the connections between devices as well. The Orbi has a dedicated radio for that to separate that traffic and not use up user bandwidth which allows for better performance. So after reading up on everything I could find about the Orbi and seeing good things I ordered the 2 unit model (router + satellite).

orbi1The Orbi has arrived in the man cave

When it arrived I opened it and it was very nicely packaged, the router and satellite units are the same size and fairly big (also a bit slippery). I followed the quick install instructions, removed my old router, unplugged my cable modem, plugged it back in, turned on the main Orbi router, plugged it into the cable modem, placed the satellite upstairs and plugged in the power and finally plugged my desktop PC into the wired Ethernet port on the main Orbi router. On the Satellite unit, when I plugged it in it was supposed to glow amber and then change to blue once it connected to the main Orbi router, no luck there, it just kept flashing white despite it being only about 15-20 feet away from it. I gave up on that and went back to getting the main router configured.

I then went to http://orbilogin.com and that’s when my problems started. The first thing it does is check for an internet connection, it kept timing out saying it couldn’t connect to the internet. I checked the cable between it and the cable modem, I turned the Orbi router on and off and still no luck, finally I had to power cycle the cable modem again and it worked. It went through the setup process, then asked me to register it, I put my serial number and info in, it said it would send me a confirmation email and waited for me to acknowledge that email before it could proceed. I never got the email so I just closed the window and went back to the main Orbi admin page.

Both the satellite and main router had pretty old firmware versions so I went to the firmware update page, it detected new firmware for the router but was stuck on “Please wait” while checking for new firmware on the satellite, because of this the update buttons wouldn’t work either. I waited about 10 minutes and it was still stuck, I tried again and the same thing happened, finally I gave up and called Netgear’s support.

Trying to navigate to NetGear’s support was another fun challenge, they seem to hide any way to contact phone support on their main website. They also want you to take a picture of your receipt that you bought the unit to get to support. I wasn’t having any of that, I was already getting fed up that this supposedly super easy Orbi was already giving me problems. I finally google’d  Netgear support phone number and found the number to call them.

The first guy I talked to was your typical, read from a script, I know very little type of support guy, I knew I wasn’t going to get anywhere fast with him. He kept making useless suggestions and asking non-relevant questions, he also wanted me to move the satellite closer to the router. I told him I wasn’t going to do that, if those 2 units can’t communicate well enough from 15-20 feet away moving them closer wasn’t going to do anything. Finally I got fed up and asked to talk to a supervisor.

The supervisor didn’t seem any more skilled then the first guy, he said he could have someone from advanced support call me back, I finally was about to hang up and told him to forget it I’m just going to return this. This got me an immediate “I’ll transfer you to someone who actually knows what they are talking about” response. In a few minutes I was talking to their advanced support who did a remote session to my desktop.

They went through the process of downloading and manually updating the satellite firmware. Apparently there is a bug in the earlier firmware version where you can’t automatically update firmware through the admin console. Once that was manually applied the satellite unit re-started and then it looked like the main router unit updated it’s firmware automatically and re-started as well. From that point they were both at the latest firmware versions and everything was working. You can only make a first impression once and with the issues I experienced while setting Orbi up my initial excitement at getting a new wireless router quickly turned to frustration and aggravation.

orbi2Signal strength of old Asus (left) vs. new Orbi (right) in the farthest room from the router

I checked my signal strength upstairs and at the opposite side of the house (see above) and it was very strong, much stronger then with the single Asus router. Also note that I pretty much get 5Ghz coverage anywhere in the house now both upstairs and downstairs where I only was able to get it downstairs in the man cave and just outside before.

So after an hour or so of aggravation everything was finally working. I’m only on my first day with the Orbi, it seems to be working well now but only time will tell. The hardware seems solid, the admin UI seems laggy and is a bit plain and basic but it has a fairly decent amount of advanced networking features. There is also no cloud management connection required like some of the other mesh systems require were if you lose internet connectivity your whole LAN is down as well. The Orbi does have 3 wired Ethernet ports which is a big plus, I do have a NetGear 24-port smart switch that I use for a home lab but it’s nice to not have to use that if needed.

One thing I had wanted to know was the status of the backhaul connection between the router and the satellite to see if they were optimally positioned. The Orbi admin UI just simply says “1 Satellite connected” but tell’s you nothing about the status and strength of that connection. The LED ring on top of the satellite only works when you initially plug it in and then goes dark. I’d like to know that the satellite is working and how well it’s working, it would be nice if that LED ring would stay on or could be turned on if desired to tell you how the satellite is doing. I also hate looking at the main router and having no visible indication of what the hell it’s doing, it could be off for all I know. NetGear put that LED to work and make it configurable in the admin UI. How about different colors for certain states and pulsing speed based on how busy it is. It would also be nice if the admin UI could show you more detail on the router-satellite connection.

There are really two big components to a wireless router, it’s hardware and it’s software, you need the combination of both of these to be good to have a great product. I won’t dispute NetGear has always had great hardware and that looks to still be the case with the Orbi, but quite frankly there software has always been pretty crappy. My past few routers have been Asus and if it’s one thing that Asus has nailed it’s their software which totally kicks ass, there admin UI is feature rich, very nicely laid out and easy to use and they update it constantly. You can even get the Merlin builds which are based on the stock software which take it to the next level. Coming from Asus, looking at NetGear’s UI is a big let down, it’s plain, basic, lacking and it looks like a 10 year old designed it. You also have to download a separate Windows NetGear Genie app to do certain things, why can’t I do it all in the web based UI? Also how about being able to show a network map and maybe some basic device usage reporting? NetGear if you would just give your admin UI an overhaul you would have a killer product.

orbi-asusOrbi admin UI (top) compared to Asus admin UI (bottom)

Now let’s talk Parental Controls which is one area that NetGear has always sucked at which is one of the major reasons I always chose Asus over them in the past. I would of thought by now NetGear would have been able to figure out this important feature to any parent and implement it correctly. Instead they have a half-assed & weak Parental Controls in their admin UI and then they punt and say go use Open DNS if you want more which would work great until your kid figures out how to change their DNS server. On my Asus router, I had full Parental Controls built-in including the most important one to me, time of day access control by MAC address so I can shut my kids internet off at night at a specific time. While NetGear has time controls built-in it impacts every device connected to the router not just specific ones. Is it really that hard NetGear to implement time of day controls by MAC address?

All in all if I would say I’m satisfied with the Orbi so far and will likely keep it, what any wireless router has to do really well is perform and that is what counts the most as you are using it day in and day out. Things like the admin UI you do not frequently use so as long as my wifi is fast and gives me good coverage across my entire house I’m all good. It would be nice if they improved the admin UI, parental controls, LED light functionality and other things. The Orbi is still pretty new so hopefully the software improves over time which would make me even happier.

UPDATE (12/11/16):

After living with Orbi for a few days now, all I can say is: damn this thing kicks ass. I get awesome coverage all throughout the house and I can get 5Ghz anywhere. From one of the farthest points from the main router and satellite my iPad speed test is around 170Mbps, crazy fast. My PC that is wired to one of Orbi’s Ethernet ports does a speed test at 232 Mbps. Also in that same room were I would regularly get the flashing wifi signal in Clash of Clans meaning I’m about to get disconnected (CoC tends to be latency sensitive), I have not been disconnected once with Orbi. I’m very happy with how well Orbi performs and would recommend it to anyone looking for whole home wifi, NetGear please just work on your admin UI and I’ll be even happier!

UPDATE 2 (12/13/16):

NetGear yesterday released a new Orbi firmware version (1.4.0.18) it was mostly minor but contained support for a new IOS/Android app that was released yesterday for management. My initial thoughts were, great now I have to go through another painful firmware upgrade process, and also cool an app that might make device management easier. The firmware upgrade went OK without issue this time around, I upgraded it through the admin UI and it was pushed out to both the main router and satellite. I downloaded the admin app to my iPad hoping for new management goodness and when I launched it found it to be a bit of a joke, you can do almost nothing in the app and it’s got to be the most basic app I’ve seen looking like someone wrote it less than an hour.

When you launch the app you’re greeted to their dashboard which is nothing more than a screen with a giant picture of an Orbi with the only information shown being your Wifi network and password. If you browse the limited menu they have stuck in the corner all you can do is show device info (nothing more than the model, MAC address and the firmware version only for the router) and connected devices and that’s about it. My excitement of having an iPad management app quickly went to this royally sucks, app deleted. Again NetGear looks to not have a clue at designing a useful and nice management UI/app, they are lucky their hardware is keeping me a customer because their administration interfaces are trying real hard to push me away.

orbi-ipad2Orbi iPad app – like a Swiss army knife with only one blade

Pluses:

  • 3 wired Ethernet ports
  • Fast and strong wifi signal
  • Nice looking hardware
  • Dedicated backhaul channel between router & satellite
  • Router is pre-paired with satellite unit
  • No cloud management required
  • Has a decent amount of advanced networking features

Cons:

  • LED light rings on top are fairly useless
  • Crappy admin UI is fairly bland and a bit laggy
  • No way to see details of router-satellite connection
  • No time scheduling parental controls by MAC
  • Firmware upgrade is buggy
  • IOS app is terrible
  • Support isn’t great unless you tell them you are returning it

Mesh router info and product reviews:

Share This:

Dec 07 2016

Want to bring a VVols technical education session to your local VMUG meeting?

One of the challenges around VVols adoption is that most customers just don’t understand what exactly it is and how it will benefit them over what they use today. I’ve tried to overcome that challenge by presenting VVol technical sessions wherever I can including VMUG UserCon’s, VMworld, HPE Discover, webinars, etc. and the content has always been very well received. I had the idea to take that a step further and offer myself to present at local VMUG events as well to try and educate even more people on VVols. I think I also convinced Pete Flecha, VMware’s VVol technical guru to join in as well.

So VMUG leaders across the US my offer to you is this, if you want to have a great VVols technical session at your next local VMUG meeting get a hold of me and let me know. Depending on schedules I’ll try and commit to it right away and also see if Pete can make it as well. HPE will be paying for my travel to your event but I will keep the session very vendor neutral and about VVols in general much as I did at my VMworld VVol session that was a sponsor session. I can be an add-on if you already have a sponsor for your local VMUG or if you need me to pop for lunch I can do that as well.

My only ask from you is to try and give me at least 3-4 weeks notice prior to your local VMUG event (preferably a little more). The session can be from 45 – 90 min based on how much time you have available. You can contact me via Twitter or email and I look forward to coming to your event to present an enlightening technical session on VVols.

Share This:

Nov 30 2016

VMware on Reddit

redditI’m an avid Reddit reader and enjoy it on a daily basis. If you’re not familiar with Reddit it is the self-proclaimed front page of the internet with a huge variety of user submitted content. Reddit is composed of a large number of sub-forums on everything from food to pictures to DIY to news and even technology. Reddit forums are in subdirectory format with the syntax being /r/<forum Name>. The forums are patrolled by moderators and have rules on how and what you can post but for the most part you can talk about anything on topic to a particular forum. Often times links to content published elsewhere on the internet (i.e. blogs) are posted there for user to discuss and comment on.

There are a few forums that virtualization and VMware users might be interested in that I have listed below. The VMware one in particular is probably the most relevant, it’s not directly controlled by VMware itself but some of the moderators are VMware employees. I see this forum as complementary to the VMTN forums, there isn’t a huge amount of posts so it’s easier to keep with and there are some interesting conversations published there. So go on and check it out, if you haven’t used Reddit before you will become quickly hooked to it, I always visit the main page several times a day which is full of great & hot content.

Share This:

Nov 23 2016

How will VM Encryption in vSphere 6.5 impact performance?

VMware finally introduced native VM-level encryption in vSphere 6.5 which is a welcome addition, but better security always comes with a cost and with encryption that cost is additional resource overhead which could potentially impact performance. Overall I think VMware did a very good job integrating encryption in vSphere, they leveraged Storage Policy Based Management (SPBM) and the vSphere APIs for I/O Filtering (VAIO) to seamlessly integrate encryption into the hypervisor. Prior to vSphere 6.5, you didn’t see VAIO used for more than I/O caching, well encryption is a perfect use case for it as VAIO allows direct integration right at the VM I/O stream.

So let’s take a closer look at where the I/O filtering occurs with VAIO. Normally storage I/O initiates at the VM’s virtual SCSI device (User World) and then makes it way through the VMkernel before heading onto the physical I/O adapter and to the physical storage device. With VAIO the filtering is done close to the VM in the User World with the rest of the VAIO framework residing in the VMkernel as shown in the below figure, on the left is the normal I/O path without VAIO and on the right is with VAIO:

VAIOWhen an I/O goes through the filter there are several actions that an application can take on each I/O, such as fail, pass, complete or defer it. The action taken will depend on the application’s use case, a replication application may defer I/O to another device, a caching application may already have a read request cached so it would complete the request instead of sending it on to the storage device. With encryption it would presumably defer the I/O to the encryption engine to be encrypted before it is written to it’s final destination storage device.

So there are definitely a few more steps that must be taken before encrypted data is written to disk, how will that impact performance? VMware did some testing and published a paper on the performance impact of using VM encryption. Performing encryption is mostly a CPU intensive as you have to do complicated math to encrypt data, the type of storage that I/O is written to plays a factor as well but not in the way you would think. With conventional spinning disk there is actually less performance impact from encryption compared to faster disk types like SSD’s and NVMe. The reason for this is that because data is written to disk faster the CPU has to work harder to keep up with the faster I/O throughput.

The configuration VMware tested with was running on Dell PowerEdge R720 servers with two 8-core CPU’s, 128GB memory and with both Intel SSD (36K IOPS Write/75K IOPS Read) – and Samsung NVMe (120K IOPS/Write750K IOPS Read) storage. Testing was done with Iometer using both sequential and random workloads. Below is a summary of the results:

  • 512KB sequential write results for SSD – little impact on storage throughput and latency, significant impact on CPU
  • 512KB sequential read results for SSD – little impact on storage throughput and latency, significant impact on CPU
  • 4KB random write results for SSD – little impact on storage throughput and latency, medium impact on CPU
  • 4KB random read results for SSD – little impact on storage throughput and latency, medium impact on CPU
  • 512KB sequential write results for NVMe – significant impact on storage throughput and latency, significant impact on CPU
  • 512KB sequential read results for NVMe – significant impact on storage throughput and latency, significant impact on CPU
  • 4KB random write results for NVMe – significant impact on storage throughput and latency, medium impact on CPU
  • 4KB random read results for NVMe – significant impact on storage throughput and latency, medium impact on CPU

As you can see, there isn’t much impact on SSD throughput and latency but with the more typical 4KB workloads the CPU overhead is moderate (30-40%) with slightly more overhead on reads compared to writes. With NVMe storage there is a lot of impact to storage throughput and latency overall (60-70%) with moderate impact to CPU overhead (50%) with 4KB random workloads. The results varied a little bit based on the number of workers (vCPUs) available used.

They also tested with VSAN using a hybrid configuration consisting of 1 SSD & 4 10K drives, below is a summary of those results:

  • 512KB sequential read results for vSAN – slight-small impact on storage throughput and latency, small-medium impact on CPU
  • 512KB sequential write results for vSAN – slight-small impact on storage throughput and latency, small-medium impact on CPU
  • 4KB sequential read results for vSAN – slight-small impact on storage throughput and latency, slight impact on CPU
  • 4KB sequential write results for vSAN – slight-small impact on storage throughput and latency, small-medium impact on CPU

The results with VSAN varied a bit based on the number of workers used, with less workers (1) there was only a slight impact, as you added more work workers there was more impact to throughput, latency and CPU overhead. Overall though the impact was more reasonable at 10-20%.

Now your mileage will of course vary based on many factors such as your workload characteristics and hardware configurations but overall the faster your storage and the slower your CPUs and # of them the more performance penalty you can be expected to encounter. Also remember you don’t have to encrypt your entire environment and you can pick and choose which VM’s you want to encrypt using storage policies so that should lessen the impact of encryption. If you have a need for encryption and the extra security it provides it’s just the price you pay, how you use it is up to you. With whole VM’s being capable of slipping out of your data center over a wire or in someone’s pocket, encryption is invaluable protection for your sensitive data. Below are some resources for more information on VM encryption in vSphere 6.5:

Share This: