Just Another IT Blog

It's time to share some of my experiences, crazy ideas, tips and tricks !!!

Post Page Advertisement [Top]

Part of a successfully Cloud solution is it’s level of availability and reliability.

As you might imagine, there are several layers on the solution where you need to put some thought on about it, but, today I will cover only how to prevent from a Deny of Service attack (DoS) on VMware vCloud Director from legitimate users, and with legitimate I mean users with the privilege to log in and use your Cloud, not about their intention.

What I will discuss here might be more critical to Public Clouds but it will also apply to Private Clouds.

Let’s start with an example how someone could compromise your Cloud solution:

Imagine a user that is going to deploy 50 VMs at once on their vApp.
It will probably take some time, a lot of resources will be consumed and depending on your underlying infrastructure it would fail.
Now, imagine if you have others users at the same time trying to deploy new vApps as well, you figure it out already, right ?!?!?

It could be even worst, some intentionally bad user could create a script using the VMware vCloud APIs to create internal users (assuming it’s an Org Admin) and then each user deploys dozens of VMs….. suddenly  your Cloud will be flood with requests and probably you will start facing DoS and nobody else will be able to make use of your Cloud. Big problem….

Well, VMware vCloud Director has a mechanism to prevent this kind of behavior. It’s through limiting the amount of resource intensive operations a user and an organization can perform simultaneously.

But what are the resource intensive operations in VMware vCloud ?
- Add to My Cloud
- Add to Catalog
- Copy a VM
- Move a VM

Basically everything related with provisioning and creation of new VMs.

You can set up these limits during the creation of an Organization (by default it’s set as unlimited), or you can set it later under the Org properties (Policies tab).

 There are just a few considerations you should take into account:

First, is to understand the limits of your environment. How many intensive operations your environment supports simultaneously ?

Amount of organizations you will have, let’s say your environment can support 50 simultaneous operations and you have 5 Orgs, it wise to set them with a maximum of 10 per Org.

Take into account how many simultaneous users will be deploying VMs to determine the maximum resource intensive operations per organization.

The maximum resource intensive operations per user should not be smaller than the number of VM’s you have on your biggest vApps, it’s because if your vApp contains 4 VMs and your maximum operations is 3, you would not be able to deploy it completely.

Lastly, if someone tries to run an intensive operation when the maximum has been reached, they will receive a message and will need to wait a little bit and try it again later.

I hope this helps to make your Cloud more available and reliable.

Bottom Ad [Post Page]