Part of a successfully
Cloud solution is it’s level of availability and reliability.
As you might
imagine, there are several layers on the solution where you need to put some
thought on about it, but, today I will cover only how to prevent from a Deny of
Service attack (DoS) on VMware vCloud Director from legitimate users, and with
legitimate I mean users with the privilege to log in and use your Cloud, not
about their intention.
What I will
discuss here might be more critical to Public Clouds but it will also apply to
Private Clouds.
Let’s start
with an example how someone could compromise your Cloud solution:
Imagine a
user that is going to deploy 50 VMs at once on their vApp.
It will
probably take some time, a lot of resources will be consumed and depending on your underlying
infrastructure it would fail.
Now,
imagine if you have others users at the same time trying to deploy new vApps as well, you figure
it out already, right ?!?!?
It could be
even worst, some intentionally bad user could create a script using the VMware vCloud APIs to create internal users (assuming it’s an Org Admin) and then each user
deploys dozens of VMs….. suddenly your
Cloud will be flood with requests and probably you will start facing DoS and
nobody else will be able to make use of your Cloud. Big problem….
Well,
VMware vCloud Director has a mechanism to prevent this kind of behavior. It’s
through limiting the amount of resource intensive operations a user and an
organization can perform simultaneously.
But what
are the resource intensive operations in VMware vCloud ?
- Add to My
Cloud
- Add to
Catalog
- Copy a VM
- Move a VM
Basically
everything related with provisioning and creation of new VMs.
You can set
up these limits during the creation of an Organization (by default it’s set as
unlimited), or you can set it later under the Org properties (Policies tab).
There are
just a few considerations you should take into account:
First, is to
understand the limits of your environment. How many intensive operations your
environment supports simultaneously ?
Amount of
organizations you will have, let’s say your environment can support 50
simultaneous operations and you have 5 Orgs, it wise to set them with a maximum
of 10 per Org.
Take into
account how many simultaneous users will be deploying VMs to determine the
maximum resource intensive operations per organization.
The maximum
resource intensive operations per user should not be smaller than the number of
VM’s you have on your biggest vApps, it’s because if your vApp contains 4 VMs
and your maximum operations is 3, you would not be able to deploy it
completely.
Lastly, if
someone tries to run an intensive operation when the maximum has been reached,
they will receive a message and will need to wait a little bit and try it again
later.
I hope this
helps to make your Cloud more available and reliable.