Latest version: https://www.slideshare.net/MichaelElder/accelerate-digital-transformation-with-ibm-cloud-private-81258443
Accelerate the journey to cloud-native, refactor existing mission-critical workloads, and catalyze enterprise digital transformations.
How do you ensure the success of your enterprise in highly competitive market landscapes? How will you deliver new cloud-native workloads, modernize existing estates, and drive integration between them?
3. Enterprise grade. Open by design.
Introducing IBM Cloud private: matching the power of public
with the security and control of your firewall
Innovation Integration Investment
Protection
Management and
Compliance
The 4 Key Tenets of IBM Cloud private
4. Enterprise transformation requires an integrated PaaS and IaaS
Leverage existing
investments
Open by design,
preventing vendor
lock-in
Consistency across
your Hybrid IT
environment
Enterprise grade
services for
Middleware, Data and
Analytics, DevOps
IBM Middleware, Data, Analytics and Developer Services
Cloud enabled middleware, application runtimes, messaging,
databases & analytics to optimize current investments and rapidly
innovate
Core Operational Services
To simplify Operations Management, Security, DevOps, and hybrid
integration
Kubernetes-based Container
Platform
Industry leading container
orchestration platform across
private, dedicated & public
clouds
Cloud Foundry
For prescribed application
development & deployment
Runs on existing IaaS: Vmware, OpenStack, Power, LinuxOne, …
5. IBM Cloud private provides a foundation for delivering
business value
Speed business innovation
Rapidly provision capacity to
meet demand
Open container technology
prevents vendor lock-in;
consistency with public cloud
Reduced cost of managing and
upgrading your on-premises IBM
middleware implementation
Protects existing investments
Faster time-to-market with a more
efficient microservices-based
application architecture
Security and control of an
untethered environment
Integrated set of management tools;
flexibility to integrate with existing
ones
Connect applications with data and
services across all clouds securely
Enhance application intelligence
with public cloud services, including
Watson integration
6. And this business value is delivered through capabilities and
services for rapidly developing modern, cloud-native applications
Kubernetes-based
container platform
Cloud Foundry for
prescribed application
development and
deployment
Integrated DevOps
toolchain
Catalog of integration
services
API economy to
integrate data and
services across all
Prescriptive guidance
on where to run your
critical workloads
Next generation
versions of industry
leading IBM
Middleware and
Analytics (WAS, MQ,
DB2)
Core operational
services, including
monitoring, log mgmt
and security
Integration with
existing systems and
operations
management solutions
7. IBM Cloud private transforms the way IT operations and
developers work
Todd
Operations / Admin
Responsible for infrastructure, security,
and management of the environment.
Jane
Enterprise Developer
Responsible for modernizing existing applications
and creating new Cloud Native Workloads.
IBM Cloud private empowers both developers and administrators to meet business
demands:
• IT Operations and Administrators can quickly set up a modern, flexible, and compliant private cloud
on enterprise infrastructure that enables enterprise developers to innovate; they can also integrate
with their existing management tools and processes
• Developers can create new cloud-native applications, optimize existing ones, and securely connect
their applications with data and services across all clouds
8. Use Cases driving Private Cloud Adoption
1. Optimize legacy
apps with cloud
Containers &
Common Services
Next Generation
Middleware,
Data & Analytics
Automation &
Orchestration
Cloud-enabled
middleware
Self-service Experience
2. Open your datacenter to work with
cloud services
Integration Services
& Cloud Native
Programming Models
Integration & Hybrid
Cloud
APIs
Public
Cloud
Services
Machine Learning
on p/z
Blockchain
Business Process
Data & Apps
3. Create new cloud
native applications
Cloud Native
Services & Runtimes
New
Applications
New Applications
On-Premises Software
& Services
Containers &
Common Services
Automation &
Orchestration
Containers &
Common Services
Automation &
Orchestration
10. IBM Systems
IBM Cloud private
IBM Cloud private – Your Workloads, Your Infrastructure
Mix and match worker nodes to run Kubernetes cloud apps you need on the infrastructure
you have. Manage from the same master node.
X86 VMs pLinux VMs zLinux VMs
Master/Proxy Nodes
Worker Nodes
Your App Workloads
IBM Provided Services
VMware
OpenStack ppc64le zVM, zKVM
or LPA
11. IBM Systems
Example – Use Microservices
Microservices
Scaling
DeveloperBenefits
• No need to manage
supporting
components
• Repeatable
• Consistent
• Pre-integrated
services
Monolithic
Scaling
12. IBM Systems
Example – Stock Trader – Client Goals
12
“I want to improve my Java app”
Product leaders want to improve their Stock Trader application to increase client satisfaction
“I want continuousdelivery – built with microservices”
Development leads demand greater flexibility with microservices and continuous delivery
that only Cloud can give them
“I need sensitivedata to stay local”
Lead administrators need the data and workload to stay local, wants to manage the cloud,
yet does not want to be burdened with complicated operations
13. IBM Systems
Example – Stock Trader – App Architecture
13
Public CloudPrivate Cloud
Web
App
Portfolio
Stock
Quote
Loyalty
Level
Quandl
Slack
Browser
POST
GET
PUT
DELETE
API
Connect
Open
Whisk
GET
GET
GET
POST
Db2
MQ
JMS
NotificationonMessage
JDBC
Redis
GET
SET
Microservice
Builder
Github
(GHE)
14. IBM Systems
Example – Stock Trader – Cloud Architecture
14
IaaS: 4 VMs (1 master node, 1 proxy node, 2 worker nodes)
Private Cloud
IBM Cloud private 1.2
Db2
MQ
Redis
Docker Docker DockerDocker
Liberty
Micro-service
Builder
Kubernetes
Dashboard
UI
ELK
DSM
Grafana
Prometheus
Jenkins w/
GHE access
Service
graph
Private Docker
Registry
Cloudant
App Workloads
Internal
Services
20. IBM Systems
Transformation Advisor
20
Discover source
environment:
Capture user preferences: (examples)
• Wants to move to Private Cloud
• Prefer not to move data
• Can refactor applications if needed
• Optionally provides some configuration
details of target environments
Use / add best practices and constraints: (examples)
• Available private cloud options: Liberty
• Available public cloud options: tWAS9
• Move if refactoring cost is <100 PMs
• Keep applications on different source ND clusters on different
target clusters
• Do not put a high usage DB >1 network hop away
Provide recommendation and seen
downstream actions:
• Choice of target servers and platforms
• Cost for moving to each target option
End-to-end experience for the App owner, Developer, Project Manager
Identify what can be migrated
to IBM Cloud and at what cost
1 2 Help manage the migration process from
fixing code issues to dev/staging/prod
deploymentleveraging existing services /
tools.
21. IBM Systems
Transformation Advisor Rule examples
21
Category Rule
1 Dev (WAMT rules) Functional code assessment of application binaries by WAMT to determine which source and target WAS
editions/versions have what technical compatibility issues.
2 Dev Assign dev costs to each application issue / issue category detected by WAMT. Call out high cost
thresholds at issue and total cost level.
3 Dev Which legacy WAS versions should not be considered for migration at all because they have prohibitive
refactoring cost.
4 Dev Functional assessment to determine whether embedded messaging in ICp Liberty (or tWAS SIBus) can be
used or we need full messaging solution.
5 Performance Determine ideal location of a DB connected to the application - in Cloud or keep where it exists depending
on user pref, usage frequency, size and any other performance attributes.
6 Performance Max number of network hops between a DB and application depending on criticality of data access and
usage frequency.
7 Performance Determine whether embedded messaging should be used in ICp Liberty based on usage and other
performance requirements.
8 Performance Max number of network hops between application and messaging depending on usage frequency and
latency requirements.
9 Performance Depending on application container dependencies and latency requirements, co-locate the containers in
same network.
10 Performance Determine sizing of containers depending on user inputs and in future usage data.
11 Performance Determine number of container replicas in ICp for load balancing
12 Availability Determine number of container replicas in ICp for recovery.
13 Security Anti-Colocation constraints between containers
14 Security Which application containers need in / outbound access (external dependencies)
15 Security Determine location of the DB in Cloud or where it exists depending on data security
* each rule can have a cost implication, e.g. replicas and anti-colocation of containers can increase cost
32. IBM Systems
Primary goal is to provide visibility, control, and analytics permitting a to assess and enforce
security and compliance of their applications and data running in the cloud
• When workloads are deployed as containers, container layer is a natural place where such visibility and
control should be provided
• Focus on applications and data, not infrastructure – application-centric visibility and control
Applications and data is what users care about – regardless of the infrastructure
Active area of innovation and start-up investment
• A new approachemerging: declarative, portable, DevOpsfocused
Several Research assets and activity in this area
32
By providing flexible, application-centric visibility and control security services in container layer on a fully-
managed container platform, we can leapfrog security advantage of our competitors.
Container Security
33. The Execution: Container Service
33
Deep Visibility à Operational Insights/Analytics à Solve Real Customer Problems
- OS Info
- Processes
- Disk Info
- Metrics
- Network Info
- Packages
- Files
- Config Info
From Container
- Docker metadata
- Kubernetes data
- Docker history
- Metrics
From Runtime
Config
Annotator
Vulnerability
Annotator
Compliance
Annotator
Password
Annotator
SW
Annotator
Licence
Annotator
- Audit Subsystem
- Syscall Tracing
- System Integrity
From Platform
33
Index (Data)
Data Collection Curation Index (Data) Analyitcs
* All services for security, compliance and
beyond work from the same data & pipeline!
Vulnerability
& Sec. Scan
for Images
Risk
Analysis
w XForce
Delivery
Pipeline
Service
Remediation
Service
Policy
Manager
for Orgs
Vulnerability
& Sec. Scan
for Containers
Secure
Config
Advisor
Vulnerability
Advisor
for POWER
Rootkit
Discovery
Remote Login
Config Discov.
(ssh, weak pwd)
License
Discovery
Container Safety
Determination
w Signatures
Custom Rule
Definitions
Config
Explorer &
Analytics
Time
Machine
Forensics
Vulnerability AdvisorCrawlers
35. • A locally managed offering
• Deploy faster then ever before
• Full control of the Cloud Foundry configuration
• Extend the deployment using Community or 3rd Party add-ons
• Connect to multiple logging and monitoring solutions
• Middleware and Cloud service offerings
Evolution of the Cloud Foundry Runtime
36. • Passport Advantage and IBM Container Registry
• When combined with your Cloud Foundry token, all binaries will be
downloaded from a secure IBM Cloud registry
• Can be launched from a Linux or Mac using Docker CE
launch.sh
TOKEN+
IBM
+ =
Deploying Cloud Foundry
Cloud
Foundry
Runtime
37. Cloud Foundry Operations Monitoring
Operations Console
Cloud
Foundry
Runtime
Bosh API
Cloud Foundry
API
38. Managing Cloud Foundry
• A local managed offering
• Administrative Access to the Bosh CLI
• IBM Operations Monitoring Tool
• Graphical view of Bosh health metrics for the
environment
• Console connectivity to all Bosh managed virtual
machines
• Bosh virtual machine and job management
operations start/stop/restart
• Cloud Foundry and Buildpack version information
• Application information
• API control for install and updates (manage at scale)
• Air-gap support
39. Maintenance cycle
• Integrates IBM’s Cloud Foundry release
• Public Bluemix
• Dedicated Bluemix
• Major updates every quarter – Cloud Foundry releases
• Minor updates weekly – Security patches & IBM Buildpacks
• Full control of when the updates are applied
• Standardized delivery framework, easily delivers changes at scale
40. Customize Cloud Foundry
• IBM’s Cloud Foundry Runtime provides new levels of control
• Stemcell substitution (modify the stemcell to meet your corporate
operating system guidelines)
• 3rd Party release support:
• Leverage releases from the community, 3rd parties or your own
DevOp’s team
• Customize the Bosh Director and Cloud Foundry deployments
to incorporate new capabilities
• Full Bosh administrative access with visibility, customize and execute
on your schedule
• Integrate your corporate security and compliance tools(via releases,
stemcell, agents, or scripting)
44. IBM Confidential
Storage
• Persistent Volume
Networked storage in a cluster that is
provisioned by an administrator
• Persistent Volume Claim
A request for storage that is made by a user
• Storage Classes
A label used to identify, and dynamically
create, specific qualities of storage to use.
(“ibmc-file-silver” for higher-intensity
workloads compared to “ibmc-file-bronze”)
• Storage Options
VMware datastore, GlusterFS, Spectrum
Scale, (including defaults for NFS, HostPath)
45. IBM Confidential
Storage Example
• Helm chart specs
Service declares what persistent volume it will “claim”. In this
case, a ReadWriteMany volume with the size and storage class
specified in the parameters set by the user.
• Clients can customize
A set of variables that will show up in the UI (or customized at the
helm command line). Notice here it will claim a persistent volume
of any storage class of 2GB or more.
• UI showing variables
DB2 storage options where admin can choose “Claim 10GB of
storage for this instance of Db2”. Admin could create custom
“gold” storage class so it will use best storage for this instance.
• Persistent Volume
Admin pre-creates PV that matches, or sets up to dynamically
create.
Deployment Chart (View online)
Values.yaml file (View online)
46. IBM Confidential
Storage Classes – Example
• Dynamic Provisioning
Storage classes can map to a “provisioner” to
dynamically provision persistent volumes based
on the volume claim requests coming in as users
deploy workloads and services.
• Map to Storage
IBM Cloud private supports the following for
dynamic provisioning,abstracts details so the
user doesn’t need to take multiple steps to
acquire, bind, and claim storage for their app:
• GlusterFS learn more
• VMware vSphere volumes learn more
• Change Default Storage Class
A default storage class can dynamically provision
storage when a storage class is not specified.
learn more
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mypvc
namespace: testns
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
storageClassName: gold
Claiming ‘gold’ storage when deploying an app
Use selected storage class:
storageClassName: gold
Disable dynamic provisioning:
storageClassName:
Use default storage class:
storageClassName: gold
Tips for claiming storage:
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: gold
provisioner: kubernetes.io/glusterfs
parameters:
resturl: “http://glusterIP:8080”
Create ‘gold’ storage class, mapped to glusterfs
#get the names, see which is default
kubectl get storageclass
#set current default to “false”
kubectl patch storageclass default-class-name -p '{"metadata":
{"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}’
#set your desired default to “true”
kubectl patch storageclass gold -p '{"metadata":
{"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
Change default storage class to your GlusterFS
47. IBM Confidential
Private Image Repository
• Bundled Images
Import Docker images from bundle into private
registry, or import any Docker image you want to
deploy across your nodes.
• Secure Access
Add only the images you approve of so your
developers have trusted, validated images to build
from.
kubectl get serviceaccounts default -o json | jq
'del(.metadata.resourceVersion)' | jq
'setpath(["imagePullSecrets"];[{"name":"admin.registrykey"}])' |
kubectl replace serviceaccount default -f -
Command so all deploying pods can access private image repo
Built-in storage for your Docker images
49. IBM Confidential
Network Concepts
• Proxy Node
Transmits external request to the services
created inside your cluster.
• Calico Network
Enables networking and network policy in
Kubernetes clusters Learn more
• Network Policy
Labels specifying which groups of pods are
allowed to communicate with each other and
other network endpoints
• VMware NSX-T
Labels used in NSX-T can be mapped to
Network Policies in ICp for deeper VMware
control
50. IBM Confidential
VMware NSX-T Integration
IBM Cloud private will offer
NSX-T as the networking
mesh between pods on
VMWare ESXi 6.5
Calico will continue to be used
in OpenStack and lower
versions of VMWare (down to
ESXi 5.5)
52. IBM Confidential
One cloud, isolation across teams
52
Namespace 1 Users: Quotas:
Kubernetes Cloud
Namespace 2 Users: Quotas:
kube-system Users: Quotas:
Objects created by the Kubernetes system
Pod 1
Service 1
10.4.5.6
Volume
Pod 2 Pod 3
Service 2
10.4.5.7
Volume
Pod 4
Master
Nodes
Master
Nodes
Master
Nodes
Master
Nodes
Master
Nodes
Proxy
Nodes
Master
Nodes
Master
Nodes
Worker
Nodes
Quotas
Categories you can
set quotes in a
namespace:
• Compute
• Storage
• Object count
(pods, services,
pvc, …)
• Scope
54. IBM Confidential
IBM Cloud private highly available topology
Managementservices are running in all the master nodes.
• UI, kube-apiservice, docker registry (and so on) run in active/active mode
• Virtual IP manager assigns virtual IP to one of the master nodes to serve the UI/API
request
• Other services rely on etcd to select a leading instance (you could treat them as
active/passive mode)
• The number of master nodes should be odd (per request of etcd to handle split
brain issue)
• Proxy services are running in all the proxy nodes in active/active mode
• Virtual IP manager assigns virtual IP to one of the proxy nodes to serve application
requests. The number of proxy nodes could be any value.
54
55. IBM Confidential
Your Workload – Levels of Availability
55
One pod
Good for development.
Single pod with single
log. Can fail over using
same persistent volume
Pod
Multiple Pods
Multiple pods in a replica
set. One pod fails, load
balance to 2nd pod with
no downtime
Multiple Services
Multiple services with a load balancer
allows each replica set to run in a separate
name space, cluster, even data center
Load Balancer
Replica Set
Pod
Pod
Service
Namespace
Replica Set
Pod
Pod
Service
Namespace
Replica Set
Pod
Pod
Service
Namespace
57. IBM Confidential
Integrate with IBM Cloud Public
Goal: Workload portability across IBM Cloud private/public
1 2 3
Dev/Test vs. Prod Bursting Move to Public
I want Dev/Test on public
cloud and production on IBM
Cloud private
I want the dream of bursting
from private to public when
workload demand exceeds
capacity
When I’m ready to get out of my
data center I want the easiest
and fastest to be to IBM Cloud,
not another public cloud
Production
IBM Cloud private
Dev
IBM Cloud Public
Test
IBM Cloud Public
Production
IBM Cloud private
Bursting
IBM Cloud Public Shrink
IBM Cloud private
Grow
IBM Cloud Public
✓
61. IBM Confidential
What else do we need for
Microservices?
● Visibility
● Resiliency & Efficiency
● Traffic Control
● Security
● Policy Enforcement
Enter Istio
62. IBM Confidential
Istio Features
Intelligent Routing
and Load
Balancing
Resiliency across
Languages and
Platforms
Fleet Wide Policy
Enforcement
In-Depth
Telemetry and
Reporting
63. IBM Confidential
Microservice-1 Sidecar
SERVICE
DISCOVERY
Service Mesh
Control Plane
SERVICE
REGISTRYMicroservice-2 Sidecar
Microservice-3 Sidecar ROUTING
RULES
TELEMETRY
ACCESS
CONTROL
RESILIENCY
FEATURES
Service Mesh
Data Plane
• Lightweight sidecars
to manage traffic
between services
• Sidecars can do
much more
than just load
balancing!
How to build a
‘Service Mesh’ ?
65. IBM Confidential
Istio
Architecture
appA
Proxy
Pod
Proxy
Istio ingress
Controller
Service A
appB
Proxy
Service B
1. All traffic entering and
leaving pod is transparently
routed via Proxy without
requiring any application
changes.
Kube API Server
User/application traffic. HTTP/1.1,
HTTP/2, gRPC, TCP with or
without TLS
Istio control plane traffic. Request
routing rules, resilience
configuration (circuit breakers,
timeouts, retries), policies (ACLs,
rate limits, auth), and
metrics/reports from proxies.
Prometheus
Metrics & reports
from proxies
Istio Control Plane
Istio Control PlaneIstio Control Plane
(Manager, Mixer)
Control Plane REST API
Kubernetes Cluster
Proxy. Based on Envoy, a high
performance L7 proxy from Lyft,
currently being used at large
scale in production.
https://github.com/lyft/envoy
2. Proxy implements intelligent L7
routing, circuit breakers, enforces
policies and reports metrics to
control plane.
67. IBM Confidential
Your data center
• Learn from Knowledge Center
• Download Community Edition (does not include master/proxy HA)
• Download Enterprise Edition from Passport Advantage (accept licenses)
• Prepare VMs and Storage
• Install (guided UI) – can be offline (no Internet connection)
• Import Helm Charts, Images into IBM Cloud private
Download, Install, Configure
Download binaries from passport advantage, prepare your infrastructure, install
Passport
Advantage
Master
VMsStorage
Proxy
VMs
Worker
VMs
IBM Cloud private
Boot
node
Private Docker
Registry
Internal Services
Network mesh with tenant isolation
Persistent
Volumes
Offline
Install
Source
69. IBM Systems
• Videos
• How we Build Stock Trader In IBM Cloud private (https://t.co/KC4H3pSuLL)
• IBM Cloud private – Playlist (http://bit.ly/2jJcYW1)
• Blogs
• IBM Announces Kubernetes-based IBM Cloud private platform (https://ibm.co/2sXO1XS)
• Build and Continuously Deliver Java Microservices in IBM Cloud Private
• Developing Microservices for IBM Cloud Private
• Recipes
• Use Kubernetes Secrets to make your app portable
• Running Istio on IBM Cloud private
• Deploy MQ into IBM Cloud private
• Deploy Db2 into IBM Cloud private
• Knowledge Center
• IBM Cloud private
Resources
70. IBM Systems
Resources for Micro-Services and Evolving
75
• Rapidly developing applications (part 1): an overview of microservices
https://www.ibm.com/blogs/bluemix/2017/07/know-developing-applications-
microservices/
• https://www.ibm.com/devops/method/tutorials/was_lift_shift
• https://github.com/ibm-cloud-architecture/refarch-jee
• https://github.com/ibm-cloud-architecture/refarch-jee-customerorder/blob/toLiberty/TUTORIAL.md
71. IBM Systems
1. Videos and Demos
Fastest way to see the product. Just watch.
https://www.youtube.com/playlist?list=PLzpeuWUENMK37ZlLBc_pIlXlOWeGnYRA_
https://www.youtube.com/watch?v=ctuUTDIClms &feature=youtu.be
https://bluedemos.com/
2. PoC Cloud on Power for IBM Cloud private
Fastest way to explore the product on Power. 15 minutes to your own cluster
https://ibm.box.com/s/oqx4itns2s2dcuo6a28z qthukfgkiv6w
3. IBM Cloud private-ce (Community Edition)
Fastest way to explore the product. Only one feature disabled (master HA). Just start.
https://hub.docker.com/r/ibmcom/cfc-i nstaller/
4. IBM Cloud private (Software Evaluation)
Focus on HA and prod configurations. Highly configured.
5. IBM Cloud private site
https://www.ibm.com/cloud-computing/products/ibm-cloud-private/
https://www.ibm.com/cloud-computing/learn-more/what-is-private-cloud/
How can I get started …Paths for access starting from quickest