We are considering our next hardware platform for our data center located in a co-location (Colo) facility as part of the CTO Advisor Hybrid Infrastructure sponsored by Intel. Currently, we are on VMware vSphere v6.7u3 with the latest security patches. The software stack runs on top of (3) Dell 730xd with 1st Generation Intel Xeon Scalable (Haswell) processors. However, we want to start experimenting with Intel’s Software Guard Extensions (SGX) technologies. Haswell doesn’t support SGX. At scale, we must use Intel’s 3rd Generation Xeon Scalable (Ice Lake). We believe we’ve found a convenient solution built into our existing architecture and relationships.
What is SGX
SGX provides the capability to exclude layers of abstraction between the processor and the application for security purposes. For example, in the use case of virtualization, SGX enables a developer to maintain secrets between the application and the CPU without exposing the unencrypted data to the hypervisor and guest OS.
For VMware environments, SGX is supported in vSphere 7.0 and later. VMware calls this support vSGX. vSGX doesn’t come without some considerations. Bob Plankers, a VMware security subject matter expert, wrote about the advantages and concerns of using vSGX.
The Power of Hybrid Infrastructure
Back in phase one of the CTO Advisor Hybrid Infrastructure journey, we shared the experience of extending the infrastructure to the public cloud. We leveraged a 10Gbps port from Megaport to connect to 3 hyperscale public cloud providers. We used this connectivity to seamlessly integrate each of the public clouds with our existing VMware vSphere environment.
The capability enabled us to add the seemingly infinite scale of the public cloud without changing our vSphere centered data center operating model. Additionally, we talked to several customers that used these cloud options to extend VDI into the public cloud as a reaction to increased work from home demand during COVID-19 lockdown.
Features of Hybrid Infrastructure
While capacity management is a use case for hybrid infrastructure, another is feature availability. As stated, we aren’t ready to hit “checkout” on our latest Intel Ice Lake-powered virtualization pod. More to come on that in the future. Adjacent to that, our decision to remain on vSphere 6.7 until we make that hardware decision. Both are requirements to leverage SGX in our virtualization stack. In the meantime, we wish to experiment with VMware’s vSGX technology.
Many organizations find themselves in similar lifecycle challenges. However, there’s an exception use case vs. the current capabilities of the private data center technology. The lifecycle problem is where we challenged Intel. We asked Rebecca Weekly, VP of Hyperscalers at Intel, how customers in our situation take advantage of Intel Ice Lake features. She highlighted the importance of Independent Software Vendors (ISV) such as VMware to help bridge this gap.
So, we closed the circle with Clive D’Souza, GM of Oracle Cloud VMware Solution. Oracle offers one of the many VMware-powered cloud offerings. Oracle’s solution provides near unrestricted access to the underlying vSphere and bare metal compute. According to D’Souza, Ice Lake is going through validation in the Oracle Cloud Infrastructure (OCI) lab. So, VMware operations staff can, in theory, enable vSGX on vSphere 7.0 running on bare-metal compute instances in (OCI).
Now combine the capability of our hybrid network infrastructure with the offerings of these VMware and Intel cloud partners. As a result, we can test vSGX in the CTO Advisor Hybrid Infrastructure without incurring the overhead associated with deploying vSphere 7.0 on new hardware in our private data center.
The reaction to the pandemic enabled much more than increased capacity and the ability to take advantage of cloud functionality within existing operational capabilities.
To learn more about Intel SGX click here
Disclaimer: Intel sponsors the CTO Advisor Hybrid Infrastructure. This blog post is sponsored content as part of the relationship.