Modernizing VM Management for Veterans Affairs

Operating under an austerity budget,2 the Department of Veterans Affairs (VA) Office of Information and Technology (OIT) is evaluating which existing platforms to invest in and which to retire or replace. One focus is the virtualization platform hosting approximately 70,000 virtual machines (VMs) powering 1,800 applications, including Veterans Health Information Systems and Technology Architecture (VISTA) support systems, financial systems, and human resources platforms.

As directed by the Office of Management and Budget’s Cloud Smart policy, the department’s newer applications are being deployed as containers on the award-winning VA Platform One. In parallel, the VA will need to continue supporting existing VMs for the foreseeable future. The reason is that more than half of the VA’s applications are older, monolithic applications written in the early- to mid-2000s, and modernizing them to a cloud-native container format would require a complete rewrite.

Dependence on a proprietary platform for VM hosting exposes the VA to the risk of pricing or support changes that can interfere with mission excellence and stress the OIT budget. Criteria for a modern, cost-efficient VM management platform include:

• Cloud-native functionality to simplify the software development life cycle (SDLC). VA software teams can save time with automation (e.g., self-healing, software defined storage and networking), a single source of truth for configuration files, and other cloud-native capabilities.
• The flexibility to deploy VMs close to the data—hospital datacenter, edge, or cloud. Data from more than 9 million veterans resides in more than 1,300 hospitals, outpatient sites, and edge locations such as the remaining tele-critical care carts set up during the Covid-19 pandemic. Transferring large data sets to the cloud over these throughput-limited networks causes latency. Hosting VMs near the data avoids this latency, improving the experience for researchers, clinicians, and patients. To gain the flexibility to deploy VMs anywhere, in hospitals, clinics, and public clouds, the VA needs virtualization infrastructure that can run on any hardware.
• Data security. Many VMs contain or access personally identifiable information (PII) and protected health information (PHI). Government security requirements include a trusted software supply chain, role-based access controls (RBAC), and adherence to the department’s security baselines.

An included feature of all Red Hat® OpenShift® subscriptions, OpenShift Virtualization is a modern application platform that the VA can use to run VM workloads side by side with containers, on the same OpenShift nodes. VMs behave as they do on the existing VM platform while also participating in modern DevSecOps and GitOps pipelines. OpenShift is available as a fully managed public cloud service edition or as a self-managed edition that can be deployed on premise in VA hospitals, clinics, and edge locations.

Modernize VM management with cloud-native capabilities

Red Hat OpenShift Virtualization is a Kubernetes operator built atop the open source KubeVirt project, adding push-button automation and access to the cloud-native capabilities built into OpenShift. These capabilities include monitoring and alerting, traffic management and telemetry, serverless environments, continuous integration/continuous delivery (CI/CD) pipelines, GitOps, and more. Using either the graphical user interface (GUI) or command-line interface (CLI), VA software teams can:

• Warm-migrate VMs onto the OpenShift platform at scale using Migration Toolkit for Virtualization, a free tool. The toolkit can import VMs from VMware vSphere, Nutanix, other OpenShift clusters, and image repositories. Source VMs continue running while the data is copied, minimizing downtime. When all data is copied, the administrator stops the running VM and the new instance begins running in the new location.
• Create and manage new Windows and Linux® VMs.
• Manage network interface controllers and storage disks attached to VMs.
• Live migrate VMs between nodes in hospitals, clinics, and the cloud, for continuity of operations (COOP).

With Red Hat OpenShift Virtualization, the VA can preserve its existing investment in VMs while benefiting from the simplicity and speed of a modern hybrid cloud application platform.

Cost-efficient VM lifecycle management. With Red Hat OpenShift Virtualization, the VA can standardize on a single infrastructure deployment for VMs, containers, and serverless workloads. A unified platform also simplifies Day 2 operations because developers can use the same open source tools they use for containers, such as GitLab for DevSecOps and JFrog Artifactory for image storage. For more cost savings, the VA can use OpenShift Virtualization in conjunction with Red Hat Ansible® Automation Platform to automate Day 2 VM operations, such as configuration changes, patching, and rebooting. If Ansible Automation Platform detects that a VM has drifted from the desired state, it automatically executes self-healing actions.

Flexibility to host applications anywhere. Application performance improves when VMs are located near the data, which is often in hospitals and clinics. With Red Hat OpenShift, VA teams have the flexibility to host certain VMs on premise or at the edge instead of in the cloud, avoiding delays if large data sets must be transferred to the cloud.

Reduced operational risk. Based on open source, Red Hat OpenShift is not subject to the same unexpected pricing increases as proprietary application hosting platforms.

Healthcare continuity planning. The disaster resilience described in VHA Directive 0320.02 can require migrating VMs to a new hospital, clinic, or the cloud. When that happens, clinicians need access to patient data with minimal delay. To automate VM migration for faster recovery, pair Red Hat OpenShift Virtualization with Ansible Automation Platform. If Ansible Automation Platform detects that a VM hosted on OpenShift has drifted from the desired state, it automatically executes self-healing actions. If one node in a cluster stops responding, Ansible Automation Platform can automatically restart services on another node.

Consistent software quality. With tools such as Red Hat Trusted Software Supply Chain, Red Hat OpenShift Dev Spaces, and Red Hat Developer Hub, VA developers can adopt DevSecOps practices to deploy VMs in an automated, repeatable, consistent manner.

Security protections. Both Red Hat OpenShift and Red Hat Ansible Automation Platform have a Security Technical Implementation Guide (STIG) published through Defense Information Systems Agency (DISA). VM workloads that access PHI or PII can be assigned to a security zone that is isolated from other workloads.

Red Hat can help you with more information on Red Hat OpenShift Virtualization. Or if you’d like to review more Veterans Affairs related initiatives visit red.ht/va today.