VMware on AWS My Thoughts

vmware-and-amazon-web-services-extending-vmware-into-aws-1As VMworld 2017 has just finished I have been giving VMware on AWS some thought.  Lot’s of questions have been running through my head, so I thought I would try and transcribe some here.

What Is It?

It’s a minimum of 4 x of vSphere Hosts running VMware’s SDDC (ESXi, NSX and vSAN) which is dedicated to a customer.  VMware manage the availability, patching and maintenance whilst the customer consumes the resources.

Each ESXi Host provides 36 x CPU Cores, 512GB RAM and 8 NVMe drives.  Some of this space is dedicated to management items such as vCenter and NSX VM’s so overall usable resources will be less.

Why Would I Use It?

This is a question I have been pondering on, my initial thoughts are:

  • A customers infrastructure lifecycle is at the point of refresh and they are moving to an ‘opex model’
  • A customer needs to exit a datacentre quickly and this could be one of a number of options
  • A customer is deploying a remote office and doesn’t want to invest in on-premises infrastructure for their VM estate
  • Target for disaster recovery to reduce on-premises secondary datacentre footprint (not sure if SRM is supported yet)

Even though I’m not convinced by this one, a potential candidate for a use case is to extend your on-premises operational model to AWS.

Another one which I’m not convinced by is reducing your on-premises operational costs by having someone else manage maintenance by patching your storage, ESXi Hosts and vCenter.  Are companies really going to make Dave redundant? Nope they are just going to get Dave doing something different for that one day a month (or Dave gets to chill out).

Would I Recommend It?

The concise answer is potentially.  The customers that I work with are reviewing their application estate and looking to either keep, kill, consolidate or transform them.

  • The keep category often fall into ‘that’s too difficult to tackle basket’ or we have only just invested in a new application or release
  • Kill generally means that the application will be ‘withered on the vine’
  • Consolidate generally means a number of applications will be collapsed into a single master
  • Transform usually means from on-premises to a SaaS type offering for example Exchange On-Premises to Office 365 Exchange Online

Out of these, which are the use cases for VMware on AWS?  The answer is simple anything heritage AKA Virtual Machine, as PaaS and SaaS will go somewhere else.

Infrastructure Applications such as Active Directory Domain Services, Certificate Services, File, Print and SQL are either highly available natively or can be designed and deployed on IaaS in a highly available fashion and as such aren’t great candidates for VMware on AWS.

Whats The Cost?

The monthly cost of an one year reserved ESXi Host (30% discount) is $4,332.00 of which we need four which makes the monthly cost roughly $17,328.00 which is circa £13,500 per month or £162,000 per year for compute and storage.  Note network charges and Operating System licenses are not included.

Using the same 30% discount level on Microsoft Azure you could run:

  • 268 x A2 v2 VM continuously for 12 months
  • 143 x D2 v2 VM continuously for 12 months

Taking into account that a single ESXi Host is used for tolerate failures.  We have 1,536GB of RAM minus circa 10% of management cluster and general overhead gives circa 1,382GB of useable RAM.

Using the same RAM metrics as the above Azure VM’s you could run the equivalent of:

  • 346 x A2 VM’s using VMware on AWS
  • 197 x D2 VM’s using VMware on AWS

Final Thought

Generally I’m seeing customers moving to a PaaS or SaaS offering for low hanging fruit and then dealing with the more complex applications on a case by case basis with a view to transforming these into a PaaS or SaaS model.

If customers are migrating 100 plus heritage VM’s to a cloud platform and they cannot be re-architected to be natively highly or have an SLA that simple backup and restore routines will not cater for then VMware on AWS is a viable option.

I do see that VMware on AWS has a place in the market, however the place is for heritage systems and I wonder how long it will be until the earnings from VMware on AWS start to dwindle?

Azure Updates – Enhancement Summary April 2017 to July 2017

azureOver the past three months, I have been leading a delivery engagement which has meant that I’m not as up to speed as I perhaps should have been on the latest enhancements to Microsoft Azure.

With this in mind, I thought I would share with you , the feature enhancements over the past few months that have had the biggest impact to the customers I work with.

Azure Service Health (Preview)

Planned and unplanned maintenance events are always a hot topic when educating customers on the use of cloud for IaaS as it’s a paradigm shift from the on-premises operating model.

Rather than having an email letting you know that West Europe is going to be patched in the future or checking the Azure Status URL, Microsoft have rolled this up into Service Health.

In a nutshell this lets you know what ongoing issues in Azure services are impacting your resources, provides you with a PDF summary of the issue for problem management.

Read more here.

Azure VM Configuration Changes (Private Preview)

Let’s face it a significant proportion of operational outages are caused by people making changes without following the correct internal procedures.  To circumvent this, Microsoft have introduced Azure VM Configuration Changes which can track all Windows Services, Linus Daemons, Software by default.

Azure VM Configuration Changes also allows you to view changes in the last 30 minutes, hour, six hours, 7 days or 30 days so you can pinpoint when changes occurred to the VM.

See more here.

Azure Large Disks

One of the challenges around IaaS VMs was trying to fit existing file structures into or across multiple 1TB hard drives.  This caused a few challenges for customers who had to rework GPO’s or migrate data to enable the use of file services within Azure.

Another significant challenge was using Azure Site Recovery to protect a VM with a hard drive larger than 1TB.  To address both of these issues Microsoft have launchged 4TB for Azure IaaS VM’s,

See more here and here.

Azure Application Gateway

Security is always a hot topic when it comes to cloud and Microsoft has fixed the gap it had between DNS based Global Site Load Balancing using Traffic Manager and Azure Load Balancer which worked at Layer 4 (TCP/UDP).

Azure Application Gateway acts as a Web Application Firewall to protect from common web attacks such as SQL injection, cross site scripting and session hijacks.

Read more here.

Faster Azure VPN Gateway

When customers embark on their cloud journey, it normally starts with a Site to Site VPN whilst ExpressRoute is put in place.  A previous limiting factor with Site to Site VPN’s was the bandwidth limit and SLA.

Microsoft have resolved this by introducing a new series of VPN gateways appropriately titled VpnGw1, VpnGw2 and VpnGw3 which will provide an SLA of 99.95% with up to 1.25Gbsp throughput at the same cost as the previous gateways.

Read more here.


Azure Network Watcher

This is a guest blog post by one of my Cisco CCIE colleagues Adam Stuart on his view of Azure Network Watcher.

What is it?

Azure Network Watcher is a feature within Microsoft Azure to make consumption of network data/troubleshooting easier.

How much does it cost?

Free until August 1st.


  • 5GB free network logs p/m, with small overcharge for extra GB
  • 1000 checks p/m, small overcharge per extra 1000 checks

Plus storage costs for log retention.

What Does It Do?

  • Monitoring Topology – Shows a very basic network topology diagram, no further drill down is possible.  To exactly useful but better than nothing.

Topology v0.1

  • Diagnostics – IP Flow Verify, simple packet trace function to test is a source/destination is allowed via a NSG policy.  Equivalent of packet trace in Cisco land.  Quite useful if you have lots of NSG.  Overall a good sanity check.

IP Flow Verify

  • Diagnostics – Next Hop, simple utility to verify next hop as per effective routing table.  This would be useful for a customer using Network Virtual Appliance (NVA) Firewalls and complex UDR.  It provides insight into the Azure routing service which is otherwise tricky to obtain.

Next Hop

  • Diagnostics – Provides details of NVA specific to network interface of VM.  Not useful unless you have overlapping NSG on a NIC and subnet and wanted to see the result of an aggregate policy
  • Diagnostics – Packet Capture, this is essentially an easier way to run tcpdump and get pcap files form virtual machines. Note, you need to install a VM extension* to get this to work see here.
  • Logs – NSG Flow Logs, the equivalent of checking Access-list log on a normal firewall. This is the primary function that most customer will be after. To answer the question “is the firewall blocking it”? Enabled on a per NSG basis, logs to a container in blob storage, which you export as JSON format.  This is probably quite powerful, but the default output is not very accessible. JSON format logs require another parser to provide any real value.

Why I’m Pleased I Failed The VCDX

Before I start this blog post, I want to mention that I am of sound mind and that all my faculties are functioning.  With that cleared up, I want to start with some context.

Throughout my IT career, I have always built my knowledge based on what I believe is credible within the market place.  This hasn’t ever been from a technical perspective, rather a business point of view.  Don’t get me wrong technology can be cool, but being cool without a use case means you won’t have a very long shelf life.

The pace of change within IT is significant, to stay up to date and relevant requires dedication, discipline and perhaps most important of all time.  Time away from family and friends locked away in a quite room reading, watching online courses and spending hours building environments in your home lab.  With this in mind, when I focus on studying technology, I want to use my time efficiently on what I believe will yield the highest reward for the least investment.

It was back in 2014 when I defended the VCDX-DCV unsuccessfully,  you can read about the effort to prepare in ‘VCDX Submission – By The Numbers‘ and what went wrong in the post ‘VCDX – What Went Wrong?‘  This may sound counter intuitive, but the path to defending the VCDX is a journey that I would recommend anyone to take as it pushes you to the next level in terms of understanding business requirements and translating those into a technical solution. It sharpens your technical knowledge and hones your written and presentation skills, enabling you to quickly dissect and disseminate relevant information from customer meetings/workshops into proposals, high level and low level designs.

So why am I pleased that I failed the VCDX, if I enjoyed and would recommend the journey?  A number of reasons which I have highlighted below.

Market Demand

The requirement for traditional virtualisation skills are shrinking, customers are upgrading and expanding their clusters without needing to engage third party companies.  They are used to maintaining interopability matrix’s between vSphere components and have performed numerous inplace upgrades on their existing hardware.

At the point of infrastructure lifecycle refreshes, customers are often looking to consolidate and to achieve a greater return on investment.  The advent of hyper converged technologies to simplify the ‘hardware stack’ along with ongoing maintenance is something which makes sense both operationally and financially.

A customer might require some assistance to migrate to the target platform, but when they are consuming it, where does the next the next requirement come from?

Pigeon Hole

If I had passed the VCDX, I believe that I would have been labelled ‘the virtualisation guy’.  From your employers perspective, they may have invested in your VCDX journey then they want to use your skillset and will want to ‘tout’ your expertise in RFP responses, proposals and in front of customers to gain an ROI from their investment.

For some, I’m sure this makes perfect sense and they would relish being the ‘virtualisation guy’.  However I prefer being the ‘guy’ who makes things happen and can lead a project across every technology area rather than being an SME.

I believe that being ‘pigeon holed’ would have reduced my career opportunities and earning potential and I wouldn’t have been in the position I am today.


When you have invested time and effort in obtaining an elite certification it is natural to want to keep it up to date.  This then leads to the treadmill effect, renewing your certification by passing the ‘Advanced’ level exam every two years to maintain your ‘VCDX’ certificate.

I would have felt obliged to stay on this treadmill which would have meant continuing to focus on traditional virtualisation to maintain top percentile skill levels.

Perhaps this is unique to me, but after spending such a large amount of time learning the intricacies of ESXi, vCenter, SRM and vROPS, I had become an SME but if I was completely unenthused by vSphere.  I wasn’t able to summon the excitement or passion to continue learning, I needed something fresh to focus on.


Over the past three years since I failed the VCDX, the customer landscape has changed.  Clients want to leverage the public cloud to enable them to expand their datacentre footprint around the globe without the cost of standing up their own environments.  They want to utilise IaaS, PaaS and SaaS technologies such as Office 365 to reduce the burden of maintaining hardware and infrastructure related items which bring little to no value to the business.  Customers are seeking alternatives to costly areas such as DR where they can leverage the public cloud to reduce their on-premises DR footprint whilst maintaining the same service levels.

The opportunities that I see from customers no longer have traditional virtualisation as the main piece of their requirements, it is now a small subsection of a transformation programme.


I used to believe in VMware as a business, the technology and innovation they used to drive was second to none.  However, I feel that they are struggling to stay relevant and have lost their way.  In the core virtualisation space, the feedback from customers is that ESXi is expensive and on the next infrastructure lifestyle refresh they will be investigating reducing their ESXi estate or replacing it entirely.

VMware tried hard with vCloud Air but basic offerings such as DRaaS fell short see blog post vCloud Air DRaaS – The Good, Bad & Ugly leading to customers seeking alternatives.  It was without great surprise that VMware decided they couldn’t compete with the likes of AWS and Azure so have partnered with AWS in a bid to maintain relevance and market share.  This small statement alone speaks volumes,  I believe this also links into vRA as well, how long until these businesses decide they no longer want to manage and maintain their bespoke workflows and seek to leverage SaaS or PaaS offerings?

I do however believe that VMware got Horizon View correct and is a viable alternative to Citrix in the VDI and application publishing market.  Again though I’m not sure for how long as recent customer demand has leaned towards leveraging the public cloud to create global ‘VDI’ pods (which I have designed and delivered using Citrix on Microsoft Azure).  Unless VMware have a suitable answer to this I can see Horizon View sales dwindling.

The announcement of VMware on AWS did spark my interest, I’m not entirely convinced this will be a game changer.  I will put together some thoughts on this on another blog post, as I’m really struggling to see the benefits apart from ‘legacy systems’ which could be the market share that VMware is after.  Again though, I’m sure that Storage Spaces Direct will soon become a PaaS offering on Microsoft Azure giving you the ability to run ‘legacy systems’ on public cloud.

Final Thought

For me, the journey to VCDX and also failing has been enlightening.  I was a fairly new starter with my employer when I embarked on the elite certification, this provided early visibility of my capabilities which enabled me to work on some great customer engagements.  Perhaps more importantly was the failure of the VCDX which meant that I wasn’t ‘pigeon holed’ but was seen as a person who makes things happen.  Which lead to the opportunity to work with customers across multiple technologies transforming them to utilise both on-premises and public cloud.

This may sound like it comes from a place of unicorns and rainbows, but I get out of bed everyday and look forward to work, this isn’t only due to my awesome colleagues but the sheer breadth and depth of the customer solutions I’m trusted to lead.  I thank my VCDX failure as the pivotal point in being able to achieve this.

Azure Updates – Summary of 2017 Enhancements

azureWhen you shift your focus from on-premises architecture to cloud based services, you notice that the velocity of updates and new features is relentless.  To give you an idea, over the last 12 months Microsoft have released over 500 updates on the Azure platform, some of these are feature enhancements, betas, public previews and new services.

Microsoft Azure is a moving target keeping up to date with enhancements is a full time job!

With this in mind, I thought I would share with you , the feature enhancements over the past few months that have had the biggest impact to the customers I work with.

Azure DevTest Labs – Ability to set an expiry date on virtual machines

We all know that development environments should only be up and running for a short amount of time to facilitate an application enhancement or initiative.  However in reality the virtual machines which were only meant to be temporary, end up being on all the time with everyone afraid to power them off ‘just in case something bad happens’.

With Azure DevTest Labs we can now harness the inbuilt functionality to set expiry dates to virtual machines.  Sounds trivial but what a great feature addition to manage the compute resources around a VM lifecycle.

Read more here.

Azure Automation – Start/Stop VMs (Preview)

We are used to having our on-premises VMs running 24×7.   Because we have already invested in the compute and storage infrastructure so what is the real use case of shutting them down?  Instead we sweat our assets for the three to five year hardware lifecycle and rinse and repeat.`

Taking the same architecture principles to a cloud based platform increases costs.  Why not get smart and reduce your consumption costs by targeting applications to when users access them?  If HR only work Mon-Fri 9-5 and access Sage during this time frame, then why not power on the VM at 8am and shut it down at 6pm?  Reducing your Azure consumption costs by 58% over a 12 month period.

Read more here.

Azure Managed Disks

When running virtual machines in Azure it’s not just a simple case of creating a storage account, factors such as the number of virtual machines per storage account with their IOPS requirements as well as the impact that backups have need to be taken into consideration.

These manual considerations can be negated to a point using Azure Managed Disks in which Azure handles the Storage Account in the back end reducing your management overhead.

With the general availability release of Azure Managed Disks integrate with Azure Backup and also Disk Encryption.

Read more here.

Automated Backup for SQL Server 2014 and 2016 Virtual Machines

It can be common for enterprises to backup SQL Server databases outside of the general backup schedule applied to other applications.  With the release of Automated Backup for SQL Server 2014 and 2016 Virtual Machines this can be automated for you with the creation of the VM.

With a daily backup and a retention period of 30 days, this adds another layer of protection to your backup routine.

Read more here and here.

Azure Backup Instant File Recovery (Preview)

Azure Backup has always done a job, but backing up a VM level has had its disadvantages namely having to restore an entire VM to an alternate location to get back a single file or folder.

Azure Backup Instant File Recovery creates a writable mount point attached to the VM you want to restore data too using an iSCSI target.  This simplifies the process and reduces management overhead.

Read more here.

Azure Security Center Enhancements (Preview)

The Azure Cyber Security  team have announced a number of the new enhancements which are in preview.  The most poignant ones are:

  • Application White Listing – Allow only the authorised executables to run within the virtual machine, with Azure Security Center discovering and recommending white listing policies
  • Just in Time Network Access to VM’s – Reduce your attack surface by only allowing access to common ports when required

By simply deploying the above two changes, I can see a benefit for most organisations to enhance their security footprint.

Read more here.