Sep 19 2014

Join me for the MVP Days Community Road Show




For the first time I am attending a MVP Days Community Road Show, happening during the next couple weeks in different Canadian cities. The Microsoft Most Valuable Professional (MVP) Award is Microsoft’s way of saying thank you to exceptional, independent community leaders who share their passion, technical expertise, and real-world knowledge of Microsoft products with others. It is part of Microsoft’s commitment to supporting and enriching technical communities.

I am excited to learn more about what the Microsoft MVP community is doing and thinking about Cloud and Virtualization, and Mobility and Management.


There will be many sessions, including:

  • Migrating to Hyper-V using Microsoft Virtual Machine Converter Tool-SK
  • Windows 2003 End of Life – Moving to the Cloud – SK
  • Introduction to Windows PowerShell Desired State Configuration-SK
  • Accelerate Private Cloud Deployment with Software-defined Converged Infrastructure-SK
  • Business Mobility Solutions – Addressing BYOD By Securing Identity
  • Business Mobility Solutions – Managing Devices In A BYOD Deployment
  • Best Practices for Virtualizing and Managing Microsoft SharePoint 2013 with Microsoft System Center 2012 R2 and Windows Server 2012 R2-SK
  • Leveraging Powershell Environments with Windows PowerShell-SK
  • IT Professional Career Growth through Community Involvement & The Microsoft MVP Award-SK


I am also having the pleasure to speak to the MVP community about Nutanix Web-Scale technology and the extensible Hyper-V and Windows Azure support; as well the existing support for Windows Azure Pack, Exchange and MSSQL workloads.

Screen Shot 2014-09-19 at 8.06.16 AM


Click here for Agenda and Registration


This article was first published by Andre Leibovici (@andreleibovici) at

Permanent link to this article:

Sep 13 2014

Nutanix 4.1 Features Overview (Beyond Marketing) – Part 2

Couple weeks ago I wrote about the first part of a multi-month announcement for NOS 4.1; and this is the second part of this announcement. If you missed the first part you can read it at Nutanix 4.1 Features Overview (Beyond Marketing) – Part 1.

NOS 4.1 delivers important features and improvements for the areas of resiliency, security, disaster recovery, analytics, supportability and management. The first article discussed the new Cloud Connect feature for cloud backup, the NX-8150 platform for heavy OLTP and OLAP/DSS workloads such as Exchange and Oracle databases, Data At Rest Encryption for secure environments that require compliance, which I complemented with an article describing how it works New Nutanix Data-at-Rest Encryption (How it works), and finally the One-Click Hypervisor and Firmware Upgrade.

In this second part I am focusing on smaller improvements that permeate NOS releases between 4.0 and 4.1, 4.0.1 and 4.0.2. These improvements are smaller and don’t make all the way up to the news, marketing or PRs, but they are equally important in improving performance and more importantly system usability and user experience.


NOS 4.0.1

  • Configurable remote Syslog forwarding enables you to send logs to a remote server using the TCP/UDP protocols. Syslog is a standard for computer message logging. It permits separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. In Nutanix each log in /home/nutanix/data/logs/ is prefixed with the name of the module (for example, cassandra) generating the information.
  • Multi-cluster management feature (also known as Prism Central), now allow convenient and automated cluster NOS upgrades through a web console upgrade dialog. Automatic software alerts notify you of available upgrades, which you can install manually or automatically. This is in addition to the One-Click Hypervisor and Firmware Upgrade already support by Prism, enabling even more powerful multi-datacenter management. You can see a full demo of Prism Central at Nutanix PRISM Central Demo Video (multi-datacenter management).
  • Volume Shadow Copy Service (VSS) support for Hyper-V hosts. If you are interested on Hyper-V support roadmap I recommend reading this article by Tim Isaacs, Nutanix and Microsoft Private Cloud: We continue our journey with Microsoft. There’s a lot happening in the Hyper-V, SCVMM and Azure arena.


NOS 4.0.2

  • Improvements on the handling of NOS Oplog for better performance and stability. The Oplog is similar to a filesystem journal and is built to handle bursty writes, coalesce them and then sequentially drain the data to the extent store. You will find more tech info about OpLog and Data Path at The Nutanix Bible. The performance improvements will come with the official release notes and PR for NOS 4.1.
  • Simplified drive replacement procedure, making all HDDs and SSDs on all Nutanix supported platforms be hot-swappable for both local and remote disks. The drive replacement can now be fully monitored via PRISM GUI and nCLI. Additionally, it is possible to clearly identify via Prism and drive carrier LED the location of the failed drive.
  • The chassis LED now can be turned on or off from the Prism UI Hardware page in either the Diagram or Table view to help identify the correct Nutanix block in large data centers. In large data centers this a must have feature.
  • Support for Dell XC720xd series hardware, in accordance to Nutanix Announces Global Agreement with Dell announcement.
  • Shadow clones are now enabled by Default. When a vDisk is read by multiple VMs (such as the base image for a VDI clone pool), NOS caches the vDisk on all the nodes in the cluster. Nutanix Shadow Clones allow for distributed caching of a particular disk or VM data, which are in a ‘multi-reader’ scenario. This will work in any scenario, which may be a multi-reader scenario (eg. deployment servers, repositories, etc.). Read more about Shadow Clones at Nutanix Shadow Clones Explained and Benchmarked.


There are other even smaller features and improvements that in my opinion did not have merit to feature in this list. In the next part of this series I will unveil what I personally consider perhaps one the biggest Nutanix features since its inception. Keep tuned!


Keep tuned, Nutanix 4.1 Features Overview (Beyond Marketing) – Part 3 coming soon!


This article was first published by Andre Leibovici (@andreleibovici) at

Permanent link to this article:

Sep 07 2014

New Nutanix Data-at-Rest Encryption (How it works)

By Andre Leibovici and Anshuman Ratnani


In a previous article I published the first part of a multi-month announcement for NOS 4.1 (Nutanix 4.1 Features Overview (Beyond Marketing) – Part 1). As part of the announcement I disclosed the new Data-at-rest encryption feature.

Nutanix clusters are deployed in a variety of customer environments requiring different levels of security, including sensitive/classified environments. These customers typically harden IT products deployed in their datacenters based on very specific guidelines, and are mandated to procure products that have obtained industry standard certifications.

Data-at-rest encryption is one such key criteria that customers use to evaluate a product when procuring IT solutions to meet their project requirements. Nutanix data-at-Rest encryption satisfies regulatory requirements for government agencies, banking, financial, healthcare and other G2000 enterprise customers who consider data security products and solutions.

The data-at-rest encryption feature is being released with NOS 4.1 and allow Nutanix customers to encrypt storage using strong encryption algorithm and only allow access to this data (decrypt) when presented with the correct credentials, and is compliant with regulatory requirements for data at rest encryption.

Nutanix data-at-rest encryption leverages FIPS 140-2 Level-2 validated self-encrypting drives, making it a future proof since it uses open standard protocols KMIP and TCG.


“The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components…. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The security requirements cover areas related to the secure design and implementation of a cryptographic module.” – Wikipedia


FIPS 140-2 defines four levels of security, simply named “Level 1″ to “Level 4″. It does not specify in detail what level of security is required by any particular application.

Level 1
Security Level 1 provides the lowest level of security. Basic security requirements are specified for a cryptographic module (e.g., at least one Approved algorithm or Approved security function shall be used). No specific physical security mechanisms are required in a Security Level 1 cryptographic module beyond the basic requirement for production-grade components.

Level 2
Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to obtain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.


As an example, FIPS 140-2 is a requirement to achieve compliance with the HIPAA standard to protect healthcare data. Already mandated by the U.S. Department of Defense (DoD) for encryption, FIPS 140-2 is a powerful security solution that reduces risk without increasing costs.


The first supported encryption features within Nutanix are:

  • Instantaneous enable/disable encryption
  • Encrypt data at rest at a cluster-wide level
  • Instantaneous Secure Erase disk(s)
  • Rotate passwords per security policy
  • Ability to enable/disable on-disk encryption with live data
  • Ability to transform the cluster from a secure configuration to non-secure configuration (and vice-versa)
  • Secure-Erase (using Crypto Erase) the specific partition and subsequently use it for storing data from other partitions that are being marked un-secure
  • Instantaneous Secure Erase disk(s) using Crypto Erase



How does Nutanix Data-at-rest encryption work?

To enable Nutanix Data-at-rest encryption a 3rd party Key Management server is required. At the time of the launch only ESXi is supported and only the SafeNet KeySecure Cryptographic Key Management System is certified, but other key management systems will be supported.

Nutanix supports any KMIP 1.0 compliant key management system, but others have not yet been certified. The key management system can even be a VM running on the Nutanix cluster, and since Nutanix leverage hardware encryption using the self-encrypting drives the performance impact on the cluster is minimal.



Nutanix clusters do not come with data-at-rest encryption turned on by default and it has to be turned on by the administrator using the PRISM UI or nCLI. The PRISM UI provides a simple and easy way to management Key Management Device details and Certificate Authorities.

Each Nutanix node automatically generates an authentication certificate and adds it to the Key Management Device. At this point the nodes also auto-generate and set PINs on their respective FIPS validated SED drives. The Nutanix controller in each node then adds the PINs to the Key Management Device.

Please note that once the PIN is set on an SED, you need the PIN to unlock the device (lose the PIN, lose data). The PIN can be reset using the SecureErase primitive to ‘unsecure’ the disk/partition, but all existing data is lost in this case. This is important to understand, in case you are moving the drives between clusters or nodes.

The ESXi and NTNX boot partition remain unencrypted – SEDs support encrypting individual disk partitions selectively using the ‘BAND’ feature (a range of blocks).


Important Deployment Considerations

In this first release it is not possible to mix a Nutanix data-at-rest encryption enabled cluster with a non-encryopted cluster because the platform requires special FIPS 140-2 Level 2 SED drives to meet the data at rest encryption requirements. By breaking the homogeneity of the cluster, one will violate the data at rest encryption requirement for copies of data stored on non-SED drives.  However, both encrypted and non-encrypted clusters can be managed via single-pane of management using PRISM Central.

Data in-flight is NOT encrypted, that means data being transmitted between virtual machines and the Nutanix CVM are not encrypted. Data is only encrypted once they touch the SED drives, either SSD or HDDs. In saying that, the Nutanix Controller VM has been exceptionally hardened and is being put trough a number of security checks, validations and certifications.

The Nutanix Cloud Connect, also introduced in my article Nutanix 4.1 Features Overview (Beyond Marketing) – Part 1 will also support at-rest encryption using Server Side Encryption.


This article was first published by Andre Leibovici (@andreleibovici) at

Permanent link to this article:

Older posts «