(This is a guest entry posted on behalf of Georg Ember)
Almost any application running in the cloud is designed to share resources. Virtualization is the key enabler for cloud computing in integrated or converged systems. Applications run in the cloud as workloads that share system resources, such as CPU, memory and networking. However, there are legal or organizational requirements where workloads must be isolated from each other and the key question is: What type of isolation is the right way to protect the application environments from each other?
Isolation (also as know as multi-tenancy) is a key requirement for cloud computing. An application deployed into a cloud environment must be able to run independently and separately from other applications in the cloud. Each application requires it to move traffic along the network and protect its data as well.
Isolation of applications and data, by physical separation or by virtualization within an integrated system, may satisfy security requirements and ensure that a failure of one application will not cause the failure of other applications. While the data has to be kept isolated, in many cases, other departments within a company are not allowed to see deployed resources (Virtual Machines) of other environments.
An ideal solution to implement such an application and virtual systems isolation is to exploit the multi-tenancy features of the IBM PureApplication System.
A comfortable and easy way to isolate LAN, SAN and Server resources, on a physical as well as a logical level in PureApplication System, is to use the concept of Cloud Groups and environment profiles.
Using the isolation techniques that are incorporated within the IBM PureApplication System can help minimize business risks and increase the availability. By selecting nodes to Cloud Groups which are placed in separate chassis modules, the performance and availability of a Cloud Group can be greatly increased.
If you are required to isolate applications and data not only on a logical level, the concept of Cloud Groups in the PureApplication Systems is the right choice for you. You do not need to acquire multiple physical systems, except for high availability or disaster recovery reasons, when you need to separate multiple application environments in a multi-tenant infrastructure. PureApplication System offers the concept of dedicated Cloud Groups.
IBM PureApplication System Cloud Groups physically separate:
- Compute Nodes (server nodes), across IBM Flex Chassis,
- LANs by defining VLANs (on dedicated LAN ports) and IP groups (IP address ranges),
- Services running on the System (so called shared services), each Cloud Group can have “private” services running, without affecting other Cloud Groups. Examples of shared services are monitoring, OS updates, Load Balancers and clustered file systems services, just to name a few.
- Workload (deployment) users, where each user belongs to one or more environment profiles, can deploy an application to the designated Cloud Group, without seeing other deployed resources from other users or being seen by other users on the Cloud Groups.
Companies normally separate environments according to application development lifecycle. The typical divisions are:
- Development (DEV): An environment used for developing applications.
- Testing (TEST): Used for testing applications.
- Production (PROD): Used for running applications; this is the realm of business or end users.
Each of these environments typically runs on totally independent sets of hardware and networks to avoid cross-environment issues. But, when using Cloud Groups in the PureApplication System, application environments are totally isolated from each other, if required, even by the users and shared services they use. Consecutively, you do not need to acquire multiple physical systems – one PureApplication System does it all for isolation of application environments. There is full isolation and protection in any layer of the stack.