Thanks to certain business regulations, your customers might not have as much design flexibility as you (and they) originally thought when it comes to virtual machine failover.
Virtual machine failover -- the ability to fail over virtual workloads from one host to another -- is one of the greatest advantages of moving to virtualization. No matter which virtual platform you use, all of today's platforms include some mechanism for relocating a running, or recently failed, virtual machine (VM) to another host.
By relocating a VM, it becomes possible to perform maintenance on the host without affecting VM operations. And a failed host wouldn't affect operations for as long a period of time, because VMs are quickly moved to surviving hosts.
Today, articles abound that tell you how to set up a cluster. With Microsoft Hyper-V, you'll be installing Windows failover clustering. With VMware vSphere, you'll configure High Availability (HA) and Distributed Resource Scheduler (DRS) settings.
For many of your customers, the technical requirements for enabling either Microsoft or VMware's technologies are relatively uncomplicated. A smart administrator with a few hours of time can set up a Windows cluster, HA or DRS on his own without too much trouble.
Therefore, being able to identify other areas where you can provide value to your customers is crucial.
First, it is important to recognize that some of today's business regulations haven't kept pace with changes in technology. For example, customers that take payment cards must follow business regulations in the Payment Card Industry Data Security Standard (PCI DSS). One commonly accepted version of this business regulation (v2.2.1) states that "a server should provide only one function." Taken at face value, customers might interpret this statement as meaning they must prevent virtual hosts from hosting more than one virtual workload. Helping your customers through their next virtual environment audit is a great way to demonstrate the value of your services.
One solution for getting around business regulations, especially those regarding sensitive data, is to use "islands of security." The islands approach suggests there should be a logical separation of sensitive data from the rest of the network. By segregating sensitive data into its own environment, solutions providers need only apply business regulations to that area, rather than to the customer's full environment.
Relating these business regulations to virtualization, there are a number of different approaches that use the island mindset. The first, and most obvious, is the creation of completely segregated virtual clusters for hosting sensitive data. These segregated clusters might only host a single VM per host. Yet, no matter what a cluster's technical configuration, segregation simplifies security assurance.
The problem with full segregation is its associated expense. While the largest of corporations might have plenty of resources, they aren't always your primary customer base. Other companies must make do with fewer resources.
Besides islands, another solution that partially solves the segregation problem is the consolidation of sensitive workloads with out-of-scope workloads into the same cluster. Today's virtual clustering technologies include built-in mechanisms for logically separating VMs onto specific hosts. With Hyper-V's Windows Failover Clustering, this separation is accomplished by setting preferred owners and possible owners for each VM in the Failover Cluster Management console. Using vSphere's HA or DRS, you'll want to create affinity rules that ensure VMs are never colocated.
Even though hybridizing security zones does add an element of risk, most auditing guidelines allow for documented processes to assure configurations remain correct. At the same time, hybridizing security zones enables you to move toward larger cluster sizes, which tend to better reassign resources in the event of a failure. Most business regulations have availability requirements as well. Larger-sized clusters are better capable of handling failures (even large-scale failures) than their smaller-sized brethren; therefore, it may be preferable to scale out rather than create too many segregated VM islands of security.
In the end, your customers' auditors and auditing requirements will vary. Finding the most cost-effective solution that meets their business needs is where you can provide the most value when assisting clients with business regulations and virtual machine failover.
About the author
Greg Shields, MVP, vExpert, is a partner with Concentrated Technology. Get more of Greg's tips and tricks at www.concentratedtech.com.