A Technical Guide

to running VMware
based applications
in Google Cloud
Contents

Introducing Google Cloud VMware Engine 04

Architecture overview 05

Networking 07

Leverage innovative tools by VMware, Google, and trusted third-parties 09

Continuous monitoring while you focus on what matters 11

Updates and upgrades 13

Secured by design 14

Protecting critical data 15

Take the next step 16

2
 Back to contents

Executive summary

Moving your VMware based applications to the cloud is often

a complex and costly process. IT has to grapple with re-
architecting applications, changes to networking and tools,
and in many cases, app modification for those that are not
able to run in the cloud.

Google Cloud VMware Engine simplifies cloud migration and frees IT

from the operational overhead of managing physical infrastructure,
helping reduce the operational burden and costs of migrating and
managing VMware applications. By migrating your VMware applications
to Google Cloud, you can continue to leverage your existing
investments in VMware, utilize the same tools, processes, and policies,
while increasing business agility, security and availability.

This paper provides deeper insights into how VMware Engine facilitates
migrating your applications to Google Cloud and helps you understand
the impact on networking, security, monitoring, and maintenance.

3
 Back to contents

Introducing Google Cloud VMware Engine

Google Cloud VMware Engine is a fully migrated without change or having to use
managed VMware-as-a-Service product a new application in the cloud. Common
that enables businesses running on- workloads include Virtual Desktop
premises VMware workloads to seamlessly Infrastructure (VDI) to enable employees
migrate to Google Cloud without to work from anywhere, and moving DR
needing to re-architect or refactor their and Backup targets to the cloud to reduce
applications. Your VMware environment TCO. In addition to the ease of migration,
– including its components vSphere, you can also benefit from bringing
vCenter, vSAN, NSX-T, and corresponding your existing data to Google Cloud and
tools – continues to run natively in a leveraging high speed access to native
dedicated and private, software-defined Google Cloud Services such as AI, ML,
data center stack on Google Cloud’s Anthos and BigQuery.
bare metal infrastructure located in
This paper provides a technical overview
Google Cloud data centers. Essentially,
of VMware Engine, covering key features
you get to leverage your existing VMware
and capabilities, in addition to highlighting
investments, tools, processes, and skills
areas of consideration before you take
to maintain operational continuity, while
positive steps towards modernizing your
avoiding data center management,
IT infrastructure.
hardware refreshes, and procurement
cycles. Vmware Engine is sold and
supported by Google and is VMware
‘Cloud Verified’.

Because VMware Engine is 100%

compatible with your VMware workloads,
many of your typical applications can be

4
 Back to contents

Architecture overview

VMware Engine provides a dedicated private cloud, composed of a

hyperconverged compute, storage, and networking stack deployed on Google
Cloud infrastructure in various Google Cloud locations worldwide.

Each private cloud contains one instance Each node consists of all the compute,
of the vCenter Server, which manages memory, and storage you need. The initial
multiple ESXi nodes contained in one or node configuration is:
more vSphere Clusters, along with the
• CPU: Intel Xeon Gold 6240 (Cascade
corresponding Virtual SAN (vSAN) storage.
Lake), 2.6 GHz (x2), 36 Cores,
VMware Engine is sold by the node, with
72 Hyper-Threads
the minimum configuration of three nodes
• Storage: 2 × 1.6 TB (3.2 TB) NVMe (Cache),
up to a maximum of 64 nodes per private
6 × 3.2 TB (19.2 TB) NVMe (Data)
cloud and you can create any number of
private clouds. • Hyperconverged design using vSAN

By running your workloads on a native The all-flash NVMe-based storage can

VMware environment running in a support the speed and performance
dedicated VMware software stack on required for demanding workloads, such as
Google Cloud, you can migrate and run any Oracle, SQL Server, SharePoint, Microsoft
of your on-premise virtualized workloads Exchange Server, and VDI running on
in Google Cloud with no changes. You use VMware. VMware Engine also has the ability
the same VMware tools you are already to reduce the core count in the nodes to
familiar with – including vSphere, vCenter, align with licensing restrictions of third
vROPS and vMotion, for example. All the party software.
VMware licenses needed to run the service
are included: ESXi, vCenter, vSAN, NSX-T,
and HCX.

5
 Back to contents

Customers have various service options for storage targets, including:

Local storage on the hyper- Multiple storage options Google Cloud Storage
converged platform (vSAN) (e.g. Elastifile Cloud Files,
This is best for secondary
NetApp Cloud Volumes)
It offers low-cost storage due storage, image files, ISOs,
to compression and dedupe These are good for primary and so forth. It can offer
abilities of vSAN (dependent or secondary (backup) the lowest cost and largest
on data redundancy) while storage due to single variety of storage options
providing single location high location availability and across multiple regions
availability lower costs

6
 Back to contents

Networking

Networking is a key feature of the service, providing high speed, secure access
to your applications as well as secures all traffic between your applications and
Google Cloud Services. You can provision NSX-T network overlays (and their
subnets), create firewall tables, and assign public IP addresses that map to a virtual
machine running in your private cloud.

Google supports the following connectivity options to connect to your VMware Engine region
network, multiple of which can be used at the same time:

Direct Interconnect Direct Interconnect Cloud VPN securely

connection from your on- connection from your connects your peer
premises data center to virtual private cloud to network to your virtual
VMware Engine on Google your VMware Engine private cloud (VPC) network
Cloud region network region network through an IPsec VPN
connection
This is a high-speed, low- This is a high-speed, low-
latency, secure private latency, secure private Traffic traveling between the
connection that bridges connection that uses two networks is encrypted
your on-premises circuit virtual network gateways to by one VPN gateway, and
to your Google Direct bridge your virtual network then decrypted by the other
Interconnect circuit. on Google Cloud to your VPN gateway. This protects
VMware Engine circuit. your data as it travels over
the internet. You can also
connect two instances of
Cloud VPN to each other.

7
 Back to contents

Google Direct Interconnect or VPN are supported for

communicating with and migrating workloads to your
dedicated cloud. Point-to-Site VPN is supported Questions to
for remote/quick access to VMware Engine and you consider
can control which users can access the VMware
1 How do you intend to
environment.
connect your applications

The service provides fully redundant networking to Google Cloud; via Direct

(via multiple TORs) and direct integration into Interconnect or VPN?

your dedicated cloud, enabling the use of Cloud

21 Do you want high-speed,
Interconnect and Cloud VPN. Further, it is integrated
low-latency access to these
in Google Cloud billing, identity management, and
innovative products and
access control to simplify management.
services?

Each node includes four NICs operating at 25 Gbps

throughput each for a total of 100 Gbps, providing
high-speed, low-latency access to services via VPC
peering. For example, you can deploy your customer
database in a dedicated cloud and access the
application servers in Google Cloud with millisecond
response times.

8
 Back to contents

Leverage innovative tools by Google,

VMware and trusted third-parties

Another powerful advantage of VMware Engine is that it

enables access to the entire vSphere ecosystem of trusted
third-party IT management tools, as well as the complete core
vSphere platform and its default interface, vCenter.

You can leverage a wide array of capabilities – including provisioning,

monitoring, support, inventory management, backup and disaster
recovery, security, network and IP address management, identity
management – all of which are managed through a single pane of glass.
For backup and disaster recovery, we’re currently working with the
following partners to integrate their offerings with the service: Cohesity,
NetApp, Veeam, and Zerto.

VMware Engine offers privilege elevation, which allows you to install and
manage third party applications which require administrative access to
vCenter. At your request, your privileges can be upgraded for up to a
24-hour period to make limited configuration changes to the vCenter,
after which the environment is automatically locked for security.
Applications like Zerto for DR are fully supported with this feature.

9
 Back to contents

On-boarding and migrating

workloads via VMware HCX
and vMotion

The service supports all standard VMware migration

tools like vMotion and HCX. vMotion is best for
migrating individual workloads without interrupting Questions to
the service. In this deployment scenario, you connect consider
your private cloud to your on-premises environment
1 Do you want to take
using a dedicated interconnect tunnel that allows
advantage of the most
on-premises management and vMotion subnets to
innovative products and
communicate with the private cloud management
services in the market that
and vMotion subnets. This allows for Cross vCenter
are fully compatible with your
vMotion (xVC-vMotion).
infrastructure?

A full HCX license is also included, allowing you

21 Do you want high-speed,
to migrate workloads en masse, while enabling
low-latency access to these
L2 connectivity and vMotion or Storage vMotion
innovative products and
workflows without changing the IP address. The
services?
time to execute migrations is based on the number
and size of your workloads, as well as the speed and
bandwidth of your connectivity.

10
 Back to contents

Continuous monitoring while

you focus on what matters

For IT teams, monitoring the performance and

availability of operating systems, middleware, and
applications running across physical, virtual, and Questions to
cloud environments internally is complex and time- consider
consuming, making it unfeasible to innovate.
1 Do you want the ability to
With VMware Engine, the level of probes and error increase or decrease capacity
logs best-suited for your business is established on demand?
automatically. The solution has a continuous
Do you want to optimize
performance monitoring subsystem so that issues 21
capacity expenditure?
can be detected and resolved quickly. For example, if
a hardware failure is detected, a new node is added to
your private cloud and the failed node is removed.

Maintenance, Patches, Upgrades, and

Change Windows

As with any cloud service, taking time to patch and

upgrade the underlying software is critical to ensuring
security and access to the latest features. Google
Cloud has a standard process we are committed to for
patching the underlying VMware software. All of the
patching for applications and software running on the
VMware environment is the user’s responsibility.

11
 Back to contents

Backend/internal maintenance VMware infrastructure maintenance

System maintenance typically involves Occasionally it’s necessary to make

reconfiguring physical assets or installing changes to the configuration of the
software patches. It doesn’t affect normal VMware infrastructure. Currently, these
consumption of the assets being serviced. intervals can occur every 1-2 months, but
With redundant NICs going to each the frequency is expected to decline over
physical rack, normal network traffic and time. This type of maintenance can usually
private cloud operations aren’t affected. be done without interrupting normal private
You might notice a performance impact cloud consumption. During a VMware
only if your organization expects to use maintenance interval, the following services
the full redundant bandwidth during the continue to function without any impact:
maintenance interval.
• VMware management plane and
Portal maintenance applications

Some limited service downtime is required • vCenter access

when the control plane or infrastructure is • All networking and storage

updated. Currently, maintenance intervals
can be as frequent as once per month.
The frequency is expected to decline over
time. Notification is provided for portal
maintenance and efforts are made to keep
the interval as short as possible. During a
portal maintenance interval, the following
services continue to function without any
impact:

• VMware management plane and

applications

• vCenter access

• All networking and storage

12
 Back to contents

Updates and upgrades

Google is responsible for lifecycle management

of VMware software (ESXi, vCenter, vSAN, PSC,
and NSX) in the private cloud.
Questions to
consider
Software updates include:
1 Do you want to ensure your
applications and hardware
performance are continuously

Patches Updates Upgrades monitored while you focus

on more important business
Security Minor version Major version
initiatives?
patches or bug change of a change of a
fixes released VMware stack VMware stack 21 Do you want to ensure issues
by VMware. component. component. are detected and resolved
quickly and comprehensively?

Critical security patches are tested as soon as

they become available from VMware. Per our SLA,
the security patch is rolled out to private cloud
environments within a week.

Quarterly maintenance updates apply VMware

software components. When a new major version
of VMware software is available, we work with
customers to coordinate a suitable maintenance
window for upgrade.

13
 Back to contents

Secure by design

Since all the edge-type networking services

of VMware Engine – including VPN, public
Questions to
IP, and internet gateways – run on Google
consider
Cloud, they inherit the baseline network
security and DDoS protection provided by 1 Do you want a service that
Google Cloud. This applies to both Google guarantees multiple layers of

Cloud and the dedicated private VMware network security?

environment.
21 Do you want the ability to
manage network security
In particular, VMware Engine has separate Layer-2
easily, efficiently, and reliably?
networks that restrict access to your own internal
networks in your private cloud environment. You can
easily define east-west and north-south network
traffic control rules for all network traffic, including
intra-private cloud traffic, inter-private cloud traffic,
general traffic to the internet, and network traffic to
on-premises.

Security is additionally delivered at the hardware level.

As part of the service, all customers get dedicated
bare metal hosts with local attached disks that are
physically isolated from other hardware. An ESXi
hypervisor with vSAN runs on every node and the
nodes are managed through customer-dedicated
VMware vCenter and NSX.

14
 Back to contents

Protecting critical data

With VMware Engine, you can ensure data at

rest and data in transit are protected.
Questions to
Data at rest in the private cloud environment can be consider
encrypted using vSAN software-based encryption. This
1 Do you want to ensure data at
type of encryption works with certified third-party key
rest and data in transit across
management servers located in your own network or
your cloud environments can
on-premises, and you can easily control and manage
be reliably protected?
the encryption keys yourself.

21 Do you want access to

For data in transit, applications are expected to encrypt
best-in-class security
their network communication within the internal
capabilities from VMware
network segments. vSphere supports encryption of
and Google Cloud?
data over the wire for vMotion traffic.

To protect data that moves through public networks,

you can create IPsec and SSL VPN tunnels for your
private clouds. Common encryption methods are
supported, including 128-byte and 256-byte AES. Data
in transit – including authentication, administrative
access, and customer data – is encrypted with standard
mechanisms, such as SSH, TLS 1.2, and Secure RDP.

15
 Back to contents

Take the next step

Regardless of what your “why” is, it is important that any technology

you adopt is aligned with the goals, needs, and objectives of the
business. There is no one-size-fits-all model that can be implemented
across the board. This is why you need a comprehensive solution that
can adapt to and grow with your business.

So, tell us what you’re solving for and one of our experts will help you
find the best solution.

For detailed specifications, visit the Google Cloud VMware Engine

website or contact sales.

Google Cloud VMware Engine is verified by VMware.

VMware and Google are trademarks of VMware and Google respectively.

© 2020 Google LLC. 1600 Amphitheatre Parkway, Mountain View, CA 94043.