Resource and role model
In this article, we will compare the private cloud architecture models: VMware Cloud Director (vCloud Director or vCD) vs. Yandex Cloud.
VMware resource model
VMware Cloud Director is a solution that implements a multi-tenant approach where each customer gets their isolated container of resources within logical security boundaries.
vCloud Director is an abstraction layer that includes:
- Layer of VMware ESXi physical server clusters and data centers they reside in.
- Management tools, such as
vCenter Server, for managing ESXi clusters.
The chart below shows the VMware Cloud Director (vCD) resource model.
This chart allows us to outline the main layers in the vCD architecture:
- The lowest layer of architecture is made up of hardware.
- The VMware ESXi virtualization layer resides on physical servers. All VMware ESXi hypervisors are clustered and managed by VMware vCenter. This integration is called vSphere. vSphere enables creating resource pools and virtual switches (Distributed vSwitch), as well as connecting shared storage for virtual machines.
- Each vCenter is integrated with the VMware NSX-T overlay network manager on one side and is managed by the Cloud Director web portal.
- Cloud Director has users, organizations, and virtual machines logically divided among various tenants.
vCD communicates with vCenter Server via the vSphere API.
The vCD solution provides multi-tenancy, making inheritance of user and group models from vSphere seem unfeasible.
vCD has its own identity provider with its own subjects and role model. You can integrate Cloud Director tenants with Active Directory through SAML federation using the service provider initiated Web SSO feature.
Yandex Cloud resource model
All Yandex Cloud resources, such as virtual machines, disks, networks, and others, reside in folders. When creating a resource, you specify the folder to place it in.
Each folder belongs to a single cloud. There are no folders outside a cloud. You cannot create a folder inside another folder.
A cloud belongs to an organization.
Organizations are isolated from one another. Resources belonging to one organization cannot communicate with those from another organization through Yandex Cloud tools. Organizations are managed with Yandex Cloud Organization.
Within your organization, you can configure access permissions for a resource at the following levels:
- Organization.
- Cloud.
- Folder.
- Individual resource if the relevant service supports such granular access management.
By default, a new user within an organization does not have access to the organization's cloud resources. Access permissions must be granted explicitly by assigning a role specifically for a resource or its folder, cloud, or organization.
To learn more about the Yandex Cloud resource model, see the relevant documentation.
Below, we will compare the main concepts of Cloud Director and vSphere entities with those in Yandex Cloud.
Comparison of resource models
Virtual Datacenters
|
VMware Cloud Director |
Yandex Cloud |
|
Virtual Datacenters (vDCs) are an isolated environment provided to cloud users for placing resources, storing data, and operating applications and systems. For vDCs, cloud administrators set quotas for the number of vCPUs, amount of RAM, and disk space for VM virtual disks. Structurally, a vDC is a child container within an organization. Architecturally, one vDC is equivalent to a specific vCenter Server instance. When creating a vDC, vSphere defines a resource pool with info on vCPU and RAM quotas and storage policies. |
The closest equivalent to a vDC is a cloud, which is a child container within an organization. The difference is that a cloud is not linked to a specific availability zone and represents a geographically distributed logical organization unit. |
Organizations
|
VMware Cloud Director |
Yandex Cloud |
|
Organizations are a root container for managing users, groups, identity federations, and computing resources. Cloud system administrators, or service provider administrators, can create and initialize organizations. Organization administrators, or tenant administrators, can create users, groups, and service folders. Cloud users cannot create organizations based on vCD. Tenant administrators have no access to the cloud infrastructure level. |
In Yandex Cloud, organizations also serve as root containers for resources and are designed to manage subjects, subject groups, identity federations, and underlying folders and services. |
Users and service accounts
|
VMware Cloud Director |
Yandex Cloud |
|
Organization administrators can create users, user groups, or service accounts manually or through scripts, or get integrated with a folder service, such as LDAP, through a SAML federation. By default, users and user groups belong to the respective organization and are managed by Cloud Director. All operations with Tanzu virtual machines, networks, and containers are performed under a system account with administrative permissions in vSphere. |
Every Yandex Cloud platform user has their own account used for identification when running resource operations. This can be either a Yandex ID account or a federated account of an identity federation. In addition, there are service accounts: a special type of account your software can use to perform operations with Yandex Cloud resources. You can read more about accounts here. |
Organization Networks
|
VMware Cloud Director |
Yandex Cloud |
|
VMware Cloud Director uses organization networks for network management. Each network is only available to a specific organization and all vApps within that organization. You can connect such networks to external networks, if required. |
In Yandex Cloud, Virtual Private Cloud residing in folders offers the similar features. The key difference between Yandex Cloud VPC and organization networks in VMware is that the former implements a multi-folder scenario enabling VPC network access within a single cloud. |
vApp
|
VMware Cloud Director |
Yandex Cloud |
|
In VMware, a vApp is a child vDC container that holds one or more virtual machines. vApps can group multiple virtual machines running together as a single stack of interconnected systems or applications within a single VM. A vApp allows you to manage the order for starting and stopping virtual machines. If at least one VM in a vApp is stopped, such vApp is considered partially started. You cannot place Cloud Director VMs outside a vApp. |
In Yandex Cloud, a folder is the nearest equivalent to a vApp; however it is important to clarify that a Yandex Cloud folder is a resource and service container used for storing and isolating the services, since most cloud services reside in folders. A folder has no option to manage services as a single entity; rather than that, there are other orchestration tools that perform this function. Yandex Cloud also features Instance Groups to manage the order for starting a group of VMs (which is called an instance group in the Yandex Cloud terms). |
Role model comparison
In both vCloud Director and Yandex Cloud, roles define permissions that dictate what actions and resource operations the users can perform.
|
vCloud Director |
Yandex Cloud |
|
Service provider is a company that delivers cloud services. |
- |
|
Tenant (customer) is a user of cloud resources. |
- |
|
By default, Cloud Director comes with the following predefined roles:
|
There are two types of roles:
A service role can be assigned for the resource the role is intended for or the one from which the permissions are inherited. For example, you can assign the For a detailed description of primitive and service roles and their hierarchy, see the IAM and Resource Manager documentation. |
|
To create custom roles, one needs to contact VMware Cloud Director administrators. Permissions for such roles are defined by service providers or created for the tenant through support. |
Currently, users are not allowed to create new roles with custom permissions. |