Swisscom Enterprise Service Cloud
We proudly present our newborn baby! Yesterday, after 150 busy days for 100 individuals, we handed over the first tenant of the brand-new Enterprise Service Cloud to our first customer. It was a bumpy yet successful journey to the cloud. We have finally made it happen!
This blog entry presents an architectural overview of our new Cloud.
The Swisscom Enterprise Service Cloud is based on Dell EMC Infrastructure (VxBlock), the hypervisors/SDN are controlled by vSphere/NSX and the cloud management layer is built on the vRealize Suite. The above figure illustrates the infrastructure components to execute customer workloads. The components of the cloud management platform are running on separate VxBlocks that are not depicted here.
A key feature of our workload environment are the geographically distributed stretched domains enabling enterprise grade ITBC. With the placement in platinum certified data centers, our offering is providing the highest quality and security capabilities to address our enterprise customers requirements.
The CMP layer is integrated into Swisscom backend systems (IAM, ITSM, Billing, Reporting) by
- our custom vRealize Orchestration workflows, leveraging vRA’s extensibility framework and event broker system
- microservices hosted on our Cloud Foundry based PaaS platform i.e. for billing and ITSM
- custom and open source components to extend logging, metering and monitoring
Beyond integration, a fundamental property we are very proud of are the service provider grade multi-enterprise multi-tenancy capabilities:
The vRealize Suite is a powerful framework to provide an industry-standard foundation for a virtual private cloud offering. This includes logically isolated tenants (with private data) and sharing of resources to minimize operational costs. vRealize Automation enables us to manage dedicated catalogues per tenant in which the business group administrators (customer role) can entitle catalog items and actions to freely definable user groups.
The blue boxes depict areas that are accessible only by the cloud provider admins (i.e., Swisscom). These admins can create resource reservations specific to the customers requirements, register event subscriptions or integrate identity providers within our IAM system.
In the course of the last months we heavily extended the standard multi-tenancy capabilities. Specifically, to expose NSX functionality such as security groups or firewall rules in our self-service portal we had to introduce new custom roles. The new roles enable a fine-grained control that allow our customers to execute functions typically requiring higher privileges.
The above figure highlights our ambition to facilitate our customers in moving to the cloud. Swisscom’s goal is to provide a rock-solid IaaS offering at very competitive prices on top of which we can build managed services and offer professional services. Even in it’s first release, the Enterprise Service Cloud already provides the basic features to drive the IT transformation of our customers to the next level:
- Shared-resources on a multi-tenant platform
- Cost-efficient operation
- Option for dedicated resources to address high-performance requirements
- Integration into company infrastructure:
- Dedicated and protected connectivity (e.g., based on VPN interconnect).
- IP Addresses management including ranges coordination
- IAM building on existing customer IDPs
- Hook mechanism to monitor all cloud related events
- Customer-specific service catalogue:
- Based on standard building blocks
We are closely collaborating with VMware and other vendors in design partnerships to extend our managed services portfolio, reach out for public cloud brokering, implement the best placing strategies and stay on the edge of technology with the latest developments in a containerized world.
Source: Christoph Schnyder, Squad Lead Systems
Since the beginning, we’ve implemented an agile project methodology with short release cycles. The Enterprise Service Cloud is operated in a Biz-Dev-Ops model right from the start. All the improvements (and fixes) that our squads are working on are continuously pushed via version control system to different build and test stages with a high level of automation. Our customers are involved within customer advisory boards to provide feedback and discuss request priorities. In addition, each customer can get a tenant on our sandbox installation to test the latest release of our system. At the moment, we are releasing bi-weekly to production.
Together with VMware we are constantly working on improving the developer friendliness of the vRealize toolchain. Our design goal is infrastructure as code. We have evaluated Code Stream and the Management Pack for DevOps IT (aka. Houdini), defined our requirements for configuration management and enjoyed the fruits of our collaboration with project CAVA.
On top of the vRealize Automation standard functionality, we have implemented our own self-service portal that is a substantial improvement in three ways:
- it hides complexity and features that are not relevant for self-service users
- it allows for extending the vRealize Suite with functionality that is not yet delivered out-of-the-box
- it builds the basis for a single pane of glass into all our cloud offerings
Every enterprise customer can optionally integrate his identities by federating his IDP within our OneIDB Identity and Access Management. This enables Single-Sign-On to the Swisscom Portal as well as to the vRA portal (and many other services in Swisscom).
The previous figure presents our vision of cloud services and the near future of the Enterprise Service Cloud. We are closely cooperating with all major vendors and cloud providers to provide the best infrastructure and expertise to our customers.
Simon Loesing and I were part of the team responsible for the Enterprise Service Cloud vendor evaluation process and have since led the Architecture Chapter of a very dynamic agile release train. It has been an amazing time with an awesome team. A team that had to get familiar with a completely new tooling and organizational structure (SAEe, DevOps) and deliver value within not more than half a year. We think this success story has only been possible with the unconditional support and strong belief of our management team and the confidence, dedication and outstanding skills of every member in the project.
As you can see, our work gets appreciated (and raises a lot of expectations).
Our lead security architect is “proud of our cloud” as well, we take this as a very good sign!
Simon and I want extend our gratitude to the members of VMware’s Center of Excellence in Sofia as well as all the Dell/EMC/VMware colleagues working on-site in Switzerland – on my blog posts I had a lot of help from Marco Pillot and Johannes Hiemer. Of course, we will never forget our favorite product managers at VMware, Naomi Sullivan, Helen Michaud, Glenn Williams, Paul Kennedy that – from time to time – let us catch a glimpse of what could be coming soon (sometimes I felt like a donkey straining to reach the “carrot” – maybe patience is not one of my strongest virtues).
Please visit us at the Swisscom Booth at VMworld Barcelona, we are looking forward to provide you with additional details and show you a live demo!
Thanks to Simon Loesing and Stephan Massalt for the outstanding slides that are the base of this article and of course – for an awesome collaboration.