UKCloud for VMware Service Scope
Toggle navigation
Improve this Doc
Show / Hide Table of Contents
UKCloud for VMware Service Scope
About this document
This document describes the boundaries of the UKCloud for VMware service, along with the division of responsibilities between UKCloud and the customer, to facilitate the provisioning and ongoing use of the service.
About UKCloud for VMware
The UKCloud for VMware service provides a secure, scalable and cost-effective platform for hosting virtual machines (VMs) of various sizes with different service levels.
You can use the platform to build new services quickly and securely; and migrate, augment or transform existing applications. The platform is immediately available so you can provision and scale VMs in minutes.
Service architecture
Your UKCloud service architecture is as follows:
Company. Your contract with UKCloud is associated with a company, which provides a single owner for the contract, regardless of how many accounts are created.
Account. We use accounts to separate financial ownership. An account could represent an organisation, a customer contract, or a specific project. An account can also have several UKCloud services associated with it, such as UKCloud for VMware, Cloud Storage and UKCloud for OpenStack. You can also use accounts to separate users based on access requirements or permissions.
Organisation (vOrg). This represents your UKCloud for VMware service inside VMware Cloud Director and on the UKCloud Portal. There is a 1:1 mapping of service to vOrg.
Virtual data centre (VDC). A VDC is where you define your workload type and build your virtual machines (VMs). You can create VDCs through the UKCloud Portal or the Portal API.
Service options
You can build a tailored solution to meet your requirements by mixing and matching service options. The choice does not lock you to one service or size, allowing you to scale resources up or down as your requirements change.
Workload type.
Workload type
Resource allocation
Automated Rebalancing
ESSENTIAL
Contended
Configured to meet requested performance
POWER
Uncontended (CPU/GiB)
Pre-emptively optimises performance and availability
PRIORITY
Uncontended (CPU/GiB)
Configured to reduce workload movement around the platform, reducing workload disruption
VM size. There are 11 T-shirt sizes available for VMs, with varying vCPU and RAM configurations, ranging from 1vCPU and 512MiB RAM to 12vCPUs and 128GiB RAM. You can change the size of your VMs after creation through VMware Cloud Director.
Full details of the available service options are outlined in the Service Definition.
Storage options
All workloads (except micro) include 60GiB of Tier 2 storage for free, all storage is persistent and resilient to local hardware failures. Micro sized VMs include 10GiB of Tier 2 storage.
Additional storage can be purchased to support your application. Multiple storage options can be used to support different aspects of the application.
Tier 1. Our most performant storage for workloads requiring consistently higher disk throughput.
Tier 2. Persistent block storage with typical performance characteristics for use by production applications or storage.
Storage policies
We provide you with access to two storage policies: tier 1 and tier 2.
Both policies have a 10TiB quota of storage to allow for rapid expansion of services as required.
We do not guarantee storage performance, as it can be affected by many factors
We do not provide IOPs figures for our storage offerings
Workloads can use multiple storage profiles
Protection
Customers have a range of automated, on-platform protection options to choose from for their environments:
Catalogue and template-based recovery. All customers have access to catalogue and template-based recovery as standard. This is a configuration management solution that can re-provision stateless servers to a new VM when required, using standard, and catalogue-based VM templates.
Snapshot Protection. 14-day or 28-day snapshot policies available. Data protected by the snapshot has an RPO of 24 hours, with RTO determined by the time taken to restore the VM after the Service Request is raised. See the Snapshot Protection Service Scope for full details.
Journaling Protection. A non-invasive, self-service disaster recovery solution with configurable recovery points, providing near real-time data protection. Journaling profiles provide a target RPO of 5 minutes and journal histories of 2, 7, 14 or 28 days. The Journaling Protection Service Scope covers the full details of this protection option.
Advanced management
This bundle includes Distributed Firewall (DFW), Distributed Logical Router (DLR), Layer 2 VPN and vROPs Tenant Monitoring and Metrics.
Note
These services may not be available in all regions and zones.
Service availability
UKCloud platform availability is based on the workload type you purchase.
The service level agreement (SLA) for POWER workloads guarantees 99.99% availability.
ESSENTIAL and PRIORITY workload SLAs guarantee 99.95% availability.
You are entitled to claim Service Credits for outages to services that take you out of SLA. For more about how we calculate SLAs, see the SLA Definition.
Service background
We maintain the standard VM template sizes that control allocation of CPU and resources.
VMs are fully provisioned.
The system is configured to automatically balance resources, so your VMs may vMotion between physical hosts. PRIORITY workloads are configured to reduce movement around the platform.
To maintain performance across the platform, UKCloud can perform movements/migrations of VMs, vApps or storage within the infrastructure assigned to a service.
We actively capacity-manage the cloud platform to ensure you have access to the resources you request.
The UKCloud platform is designed using sites, regions and zones. The relationship between them is shown below:
You can specify Farnborough or Corsham as the site where you would like to have your service provisioned. We will try to accommodate requests and will advise you if we are unable do so.
We control the deployed versions of technology on the platform. This covers internal platform-supporting technologies, and any technology versions available to you.
Internally this includes, but isn't limited to, the vSphere and ESX versions, and the hardware version of the platform.
Externally this includes the available versions of the edge gateway and VMware Cloud Director.
Promiscuous mode is disabled.
You can set affinity or anti-affinity rules through VMware Cloud Director so that VMs do, or do not, run on the same physical host.
You can make additional configurations inside a VM (such as acting as a secondary hypervisor or implementing third-party software technologies). We do not support customer implementations inside a VM.
Operating systems
Licensing. We can provide:
OS licensing through the SPLA and academic frameworks for Microsoft
Red Hat Enterprise Linux licensing
For the latest available licences, please check the UKCloud Pricing Guide.
You can bring your own licensing for Red Hat and certain Microsoft application licensing under Microsoft Mobility using software assurance. If you're providing your own licensing, you should inform UKCloud by raising a Service Request via the My Calls section of the UKCloud Portal for a retrospective discount.
For non-UKCloud issued software, you must obey the licensing requirements of the software provider. This includes being aware of any constraints around using the software in a virtualised environment.
VM server images. We provide base VM images for the operating systems (OS) for which we provide licensing. You can access these from VMware Cloud Director.
You can use your own images for non-Windows and RHEL services, where licensing stipulates that to use the VM on our platform it must be licensed (and reported back to the software vendor) by UKCloud.
Update services. We make update repositories available for all software for which we provide licensing. We don't provide software update facilities for non-UKCloud licensed software.
Anti-virus. We do not provide anti-virus software as part of the service.
Networks
A full overview of the connectivity options and network architecture is available in Understanding connectivity options in UKCloud for VMware.
We manage the physical firewalls that face public and secure networks.
Internet-facing solutions have 2 usable public IP addresses. You can ask for additional public IP addresses by raising a Service Request via the My Calls section of the UKCloud Portal. We reserve the right to decline the request if you have spare capacity in your existing deployment.
PSN-facing solutions. You should raise a Service Request via the My Calls section of the UKCloud Portal to be assigned your IP address. Contended bandwidth (uncapped).
Janet and HSCN solutions have one usable IP address. You can request additional IP addresses by raising a Service Request via the My Calls section of the UKCloud Portal.
From a customer management experience, you manage all your connectivity rules, such as firewall, IPsec VPN and NAT functionality, through your edge gateway, using either the UKCloud Portal GUI or API.
Edge gateway (previously vShield Edge)
By default, we assign one edge gateway per connectivity type.
For VDCs you create through the Portal API, you are responsible for creating your own edge gateway.
You can have up to nine Org VDC networks per edge gateway.
vApp edge. vApp networks allow you to create smaller networks within individual vApps which have a vApp Edge, similar to the edge gateway on your VDC. Although a vApp Edge isn't as feature rich as an edge gateway, it lets you create firewall and NAT rules to separate your VDC networks from your vApp virtual machines (VMs). See vApp networking for configuration details.
Site-to-site IPsec VPN. You can create IPsec VPN tunnels to connect the services located behind different NFTs. You can also externally configure IPsec VPNs. There is a limit of 64 tunnels per edge gateway.
SSL VPN. You can create SSL VPN tunnels that terminate on the edge gateway, providing up to 50 concurrent users with access to that VDC. We recommend you use this for occasional administrative purposes, rather
than as part of a regular end-user design.
Load balancing. The edge gateway acts as a basic layer 3 load balancer, including features such as session persistence and health checks. If you need more advanced load balancing, you should consider a third-party product.
Bring Your Own Firewall
Bring Your Own Firewall allows you to customise your networking infrastructure by installing your own virtual firewall appliance in place of the edge gateway included as standard.
We don't offer a rebate for unused edges. If you choose to bring your own firewall, you are completely responsible for the deployment, configuration and management of that firewall.
If you change from a UKCloud-provided firewall to your own firewall, we will redeploy your firewall on to a dedicated network and you will need to migrate your environment to that network.
Full customer and UKCloud responsibilities can be found in the Bring Your Own Firewall Service Scope.
Protective monitoring
We have implemented GPG 13-aligned Protective Monitoring across the Assured and Elevated platforms at the hypervisor level and below.
We don't provide Protective Monitoring services above the hypervisor (for example, for your VM) - it is your responsibility to act at this level.
In line with UKCloud's SISP, we provide notification of customer-impacting security incidents. It is your responsibility to report similar incidents to us.
Platform management
Users can access, manage and view the UKCloud for VMware service, accessing only those features allowed by their role, in any of the following ways:
vCloud API. Enables the programmatic creation and management of VMs inside the platform.
VMware Cloud Director tenant portal. Provides a graphical interface to access the VMware Cloud Director environment (depending on assigned permissions).
UKCloud Portal. Enables the creation of compute services and subsequently VDCs and edge gateways. The Portal also includes an overview of actual and estimated spend, along with service configuration information. Access to incident and request management is also possible through the Portal.
You cannot access the underlying infrastructure. This includes (but isn't limited to) the hardware and the vSphere environment.
Service migration