The Value of Hybrid Applications, with VMware Cloud on AWS and Trend Micro
Traditional applications aren’t easy to own or easy to manage in the era of web-native technologies, because they are difficult to automate, and so they can’t scale cost-effectively in multi-cloud environments.
Applying a hybridized app technology for traditional applications enables scaling options that are more cost-effective than previously possible. Hybridized applications provide an enterprise with the ability to operate Infrastructure as a Service (IaaS) app deployment with a web-native, Platform as a Service (PaaS)-type automation. Unlike the PaaS alternatives, hybridized apps can leverage existing operations investment, without being locked into rigid and expensive proprietary PaaS architectures. This is possible because the hybrid cloud offers a common abstraction layer enabling a common API, both on-premises and within the public cloud.
Hybridized apps present IT with new levels of scale, agility, and better opportunity for security and compliance, leveraging technologies and skill sets already mastered for their virtual data centers.
The hybrid cloud is the combination of one or more on-premises private clouds, connected to public cloud infrastructure. This includes a unified view of resources and shared capacity, a common and connected network model, and one security policy framework for access and protection technologies. Ideally IT operates and manages the Hybrid Cloud with existing practices for data center virtualization – both on-premises and in the public cloud as one single data center.
The VMware Software Defined Data Center (SDDC) is a private cloud solution comprised of VMware vSphere, vSAN, and NSX to provide a hyperconverged infrastructure platform, along with vRealize Automation and vRealize Operations providing automation and operational tools for capacity planning and monitoring. This can be provided by VMware Cloud Foundation or by integration of the individual components usually with reference to the VMware Validated Design guides.
In the public cloud service providers are able to utilize tools like VMware vCloud Director to provide a VMware platform that allows multiple tenants to coexist in a security and resource isolated fashion. Service providers can also deploy VMware Cloud Foundation to provide a cloud with more compatibility with the on-premises SDDC.
VMware Cloud on AWS falls into this latter category, which enables application portability and visibility in which applications and their policy attributes, once deployed, can then be moved or scaled out from any data center to another – without modification. In contrast, cloud native applications built for a PaaS public cloud demand costly customizations, new development, and complete redeployment of the application in new and different locations. Hybridized apps deliver a transitional approach, leveraging the benefits of traditional applications on the hybrid cloud, with a path forward towards achieving efficiencies of scale, cost and operations enjoyed by cloud native apps. VMware Cloud on AWS for hybrid cloud is VMware SDDC (comprised of vSphere with vSAN and NSX with vRealize suite components for automation and operations) on-premises, with VMware Cloud on AWS, configured as a true hybrid cloud solution. VMware Cloud on AWS for hybrid cloud fully supports today’s applications, with enablement for managed transition of enterprise software for hybridized apps and containers.
VMware SDDC plus VMware Cloud on AWS for hybrid cloud, enable an enterprise to scale IT operations at a lower cost-curve than non-compatible multi-cloud environments with non-interoperable platform APIs. In addition, the enterprise that also deploys hybridized apps, rather than traditional applications on VMware Cloud on AWS, can achieve lower costs as they scale, as the result of lower incremental costs made possible by the public cloud, and agility, security and compliance provided by hybridized apps through increased automation that leverages investments in existing data center operations and tooling.
In a hybrid cloud, transparent security operations across hosting infrastructure and locations require that the on-premises solutions used by the enterprise today for their virtual data centers are available for hybridized apps. Uniformity in security controls, policy enforcement, and operations reduce the opportunity for misalignment of cloud-security, as they reduce the complexity of overall security posture. IT administrators and SecOps managers of hybridized apps maintain single pane-of-glass visibility of all workloads ensuring that data protection controls, policies, and attributes are consistently enforced, regardless of where the workload resides.
The applications that are used by IT to enforce security on the infrastructure can be hybridized, too. A hybridized data protection app could be deployed by automated policy into any one of the enterprise’s data centers – on-premises or public cloud. The IT administrator can then use the same central management console used to manage the hybrid cloud, for management of the now hybridized data protection application. This app can use native public cloud services, such as storage from AWS S3, and since it is hybridized, the data protection attributes follow the protected application VMs. These protection attributes are assigned and removed automatically as new application VMs are brought online, retired, or as the application VM moves across horizons within the hybrid cloud.
Packaging and Provisioning
Hybridization leverages the capabilities of the hybrid cloud to extend the best operations benefits of cloud-native applications to the virtual data center, with its established technologies and practices realizing new levels of IT scale, agility, security, and compliance with minimal impact to the enterprise organization and its users. Building cloud-native applications typically requires a complete re-architecture of traditional applications. Cloud-hosting of traditional applications as an alternative involves a separate, re-deployment of the application on a different location and hosting platform with alternative tools and technologies for secure and compliant operation. Hybridization offers an improved and enhanced approach for the cloud-enablement of established traditional application catalogs. Complex technology transitions for defining applications and services, with their respective VM and container formats are experienced as gradual transitions versus massive uplift projects. Virtual packaging from the traditional application remains unchanged, as OVF, Hyper V VM Template or Service Template, etc.
Hybridizing a Traditional App
Trend Micro Deep Security is both an application deployed in the virtual data center and set of infrastructure security services, with policy management for other applications in the VDC. Deep Security is a good example of a VMware partner ISV solution, on the journey to hybridizing their application. Trend Micro explored the topic of hybridizing an application as a means to modifying a traditional app to make use of capabilities found in the hybrid cloud. Hybridized apps are a way to transfer the “heavy lifting” of cloud-readiness onto infrastructure support by the hybrid cloud vendor rather than architecture adaptation from the ISV developer or enterprise IT.
Figure 1. Five steps to hybridization
In this case, the five steps to hybridization as shown in Figure 1 that an ISV can use to hybridize a traditional app, whether the app is offered as a software package or a as a service – PaaS or SaaS, are as follows:
- Simplify management
- Eliminate agents
- Implement seamless policy
- Make composite app
- Ease deployment
The first step to hybridize a traditional app is simplifying management. Instead of separate management consoles to manage each hosting platform for the application, there is one management console to manage all of the app instances across platform horizons. This management console can be accessed from the single pane-of-glass that the customer uses to manage the hybrid cloud such as VMware vCenter Server or VMware vRealize Operations in VMware Cloud on AWS. Trend Micro’s Deep Security has done this with their Deep Security Manager. It allows customers to have a single pane-of-glass to view workloads regardless of whether they are running on-premises or in a public cloud instance including native implementations for AWS and Microsoft Azure. A single Deep Security Manager provides visibility across the entire data center infrastructure, providing simplified visibility and management capability.
The second step is to eliminate agents. A traditional application may rely on its own agents hosted on each VM to gather information and implement policy. The result is complexity in application configuration and deployment, creating a management headache and security problem for IT administrators and security managers, dealing with different agents from applications deployed across thousands of VMs. A hybridized app does not rely on its own agent, but rather collects needed information from APIs provided by the hybrid cloud, such as EPSEC (the VMware NSX API for Endpoint Security) and NetX (the NSX API for Network Introspection) in VMware Cloud on AWS. This is more efficient in resource usage on the physical hosts, as well as being less to manage and more transparent to the operating system and other applications on the VMs. Today, Trend Micro’s Deep Security requires an agent to be installed on each VM being protected. However, on-premises Deep Security can protect VMs running in VMware vSphere with VMware NSX in an agentless way, the VMware partner roadmap includes the same APIs becoming available in VMware Cloud on AWS. Trend Micro is working in close partnership with VMware so that Deep Security is fully hybridized to protect workloads using native cloud APIs available through VMware Cloud on AWS, and removing the need for agents in favor of a service-based protection for other application VMs and containers across the hybrid cloud.
The third step is to implement hybridized app VMs with seamless policy attributes. With traditional apps, once an IT administrator moves a VM from on-premises to public cloud, it’s necessary to re-implement the policies for that application VM on every new platform instance of the traditional app. With hybridized apps, the policy attributes follow the application’s VM, so when an app moves from on-premises to cloud or vice versa, the IT administrator doesn’t need to budget for configuration and additional testing. Trend Micro Deep Security ensures that once you apply a security policy to an application workload, the same security policy enforcement follows that hybridized app VM regardless of where it is running and regardless of agentless or agented configuration. The same policies can be applied to on-premises and cloud workloads, providing a unified view and security profile across all of your hybridized apps.
The fourth step is to make our hybridized app a “composite app” while adhering to the enterprise’s compliance policies. Traditional apps have largely been developed and packaged as monolithic silos with the ISV developing all of the functionality for their application and presented in various stand-alone formats like OVF, AMI, PL/SQL, etc. Hybridized apps break this monolithic limitation and leverage services provided by cloud-native services via APIs present in the hosted infrastructure and by other hybridized apps, deployed as services by the enterprise. Trend Micro’s Deep Security is already available in many form factors that include software downloads, marketplace offerings, and hosted services. Looking to roadmaps of near-future capability, Trend Micro and VMware envision a Deep Security offering as several micro-services, with complete portability and full integration with other third-party services.
The last step is to make our application easy to deploy, with uniform operation procedures across all the data centers comprising the enterprise’s hybrid cloud. Again, with traditional apps, the customer has to get the software from the ISV, customize differing machine and container packages for their target platforms, then deploy to their data centers manually with environment specific tools. With hybridized apps similar to cloud-native applications – the enterprise user selects an app from the catalog from a central repository or marketplace, choses the target data center in their hybrid cloud, and the software is placed by platform automation. Suitable for this demand-based deployment and provisioning, Trend Micro’s Deep Security Manager is available as a software package, a Marketplace AMI in both AWS and Azure, and as a hosted service. Each of these options give deployment flexibility to an organization allowing them choice as to how to best deploy Deep Security for continuous compliance operation and security enforcement. All of these delivery options offer the same, unified visibility across on-premises and cloud-hosted instances – with uniform protection to all application VM workloads, regardless of where they are physically located.
Figure 2. Stages of hybridized applications
Trend Micro is one of the several VMware technology partner ISVs leading the industry in hybridizing apps for the new enterprise data center. Many traditional apps are at different stages of hybridization, with VMware data protection partners, security partners such as Trend Micro, and application delivery partners, all establishing new standards for continuous hybrid-cloud services with VMware.
VMware and our partner ISVs are committed to giving customers the freedom to choose what is best for their business, with the best technology available. This is the genesis for having envisioned hybridized applications. The hybrid cloud can enable enterprises to scale IT operations more cost effectively, with reduced operations complexity and consistent reporting standards, than can offerings across multiple cloud models. By deploying hybridized apps on top of hybrid clouds, the enterprise can benefit from economies gained from the automation provided in the entire operations lifecycle for management, security, compliance, and deployment with significant improvements in business and technical agility. Any application deployed as a virtual machine package can be hybridized, offering VMware partner ISVs rapid access to the benefits of hybridization. Trend Micro’s Deep Security is already leading on the road to achieving the hybridized app model and continues advancing with VMware towards a larger vision of the fully hybridized application.
~Simon Hamilton Wilkes, NSX Partner Solution Technical Architect