It's time to reconsider going on-prem

I&#x27;m a huge believer in colocation&#x2F;on-prem in the post-Kubernetes era. I manage technical operations at a SaaS company and we migrated out of public cloud and into our own private, dedicated gear almost two years ago. Kubernetes and--especially--CoreOS has been a game changer for us. Our Kube environment achieves a density that simply isn&#x27;t possible in a public cloud environment with individual app server instances. We&#x27;re running 150+ service containers on each 12-core, 512 GB RAM server. Our Kubernetes farm--six servers configured like this--is barely at 10% capacity and I suspect that we will continue to grow on this gear for quite some time.<p>CoreOS, however, is the real game-changer for us. The automatic updates and ease of management is what took us from a mess of 400+ ill-maintained OpenStack instances to a beautiful environment where servers automatically update themselves and everything &quot;just works&quot;. We&#x27;ve built automation around our CoreOS baremetal deployment, our Docker container building (Jenkins + custom Groovy), our monitoring (Datadog-based), and soon, our F5-based hardware load balancing. I&#x27;m being completely serious when I say that this software has made it fun to be a sysadmin again. It&#x27;s disposed of the rote, shitty aspects of running infrastructure and replaced it with exciting engineering projects with high ROI, huge efficiency improvements and more satisfying work for the ops engineering team.

Recently just built and deployed an enterprise (on-prem) offering for my startup <a href="https:&#x2F;&#x2F;commando.io" rel="nofollow">https:&#x2F;&#x2F;commando.io</a>.<p>The single biggest problem by far was ripping&#x2F;replacing 3rd party SaaS services that we use&#x2F;pay for with native code. While building a SaaS it is wonderful to use 3rd parties to save time and complexity. Examples include Stripe (payments), Rollbar (error tracking), Intercom (support&#x2F;engagement), Iron.io (queue and async tasks), Gauthify (two factor auth)... Howerver, when you go to on-prem often times the servers don&#x27;t have a public interface, so your entire application has to work offline.<p>2nd tip. While it may seem like a good idea to create a separate branch in your repo for on-prem (i.e. enterprise branch), this is bad idea. It ends up being much better to just if&#x2F;else in the master branch all over the place:<p><pre><code> if(enterprise) { &#x2F;&#x2F; do something } </code></pre> If&#x2F;else in the master branch is what GitHub Enterprise does (at least was told so).

I agree that Kubernetes is a game changer which makes it much easier to run your own applications. If all you have is VMs then the services (RDS, EFS, etc.) offered by AWS are more effective. With a container scheduler there is less maintenance and the decision is harder.<p>BTW Shoutout to Ev from Gravitational, they are proper Kubernetes experts and we appreciate their help on GitLab, especially making <a href="https:&#x2F;&#x2F;github.com&#x2F;gravitational&#x2F;console-demo" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;gravitational&#x2F;console-demo</a> for our k8s integration efforts.

Inspired by a previous blog post popular on HN [1]. John E. Vincent&#x27;s &quot;So You Wanna Go On-prem Do Ya&quot; [2].<p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11757669" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11757669</a> [2] <a href="http:&#x2F;&#x2F;blog.lusis.org&#x2F;blog&#x2F;2016&#x2F;05&#x2F;15&#x2F;so-you-wanna-go-onprem-do-ya&#x2F;" rel="nofollow">http:&#x2F;&#x2F;blog.lusis.org&#x2F;blog&#x2F;2016&#x2F;05&#x2F;15&#x2F;so-you-wanna-go-onprem...</a>

Quick note, they define Private Cloud as &quot;Customer’s private cloud environment on a cloud provider&quot; but that is not the definition I go by. Just a heads up while reading.<p>I would define Private Cloud as a non-bare metal solution on Prem in a traditional colo setting where hardware is owned by the company in question. Hybrid Cloud would be a Private Cloud and Public Cloud bridged in some way.

This is a great article, but it would be good to state up-front that the author works for a company that sells a service designed to help you go on-prem. It&#x27;s not totally clear until later in the article that this is the case. It would also help put the article in context better.

Note: This may not generalize to your use case. We mainly serve big data customers including banks, telco, and have also seen other environments similar to the &quot;air gapped environments&quot; listed below.<p>That being said: Would just like to add some coloring to this.<p>&gt;&gt; However, not every customer that wants on-premise is a government agency with air gapped servers.<p>This is the bulk of our customer base and also a very large portion of the market still. I deliver software via dvd (flash drives nor wifi not allowed)<p>A few notes from these kinds of customers: They won&#x27;t let you just install anything.<p>Docker is great but doesn&#x27;t have a lot of enterprise adoption (despite the self perpetuating hype cycle) outside the companies that already have mature software engineering teams as a core competency.<p>They are often running centos 6.5 or less yet.<p>A lot of these environments still require deb&#x2F;rpm based installation.<p>Admins at companies that run on prem installations tend to be very reserved about their tech stack. Docker looks like the wild west to folks like that.<p>Our core demographic: We do a lot of hadoop related work. We have a dockerized version of[1] that we deploy for customers.<p>We have also been forced to go the more traditional ssh based yum&#x2F;deb route. We have automation for both.<p>They are right that many &quot;on prem&quot; accounts are now &quot;someone else&#x27;s AWS account&quot;.<p>We also have to run stuff on windows server as well. Docker won&#x27;t fly in that kind of environment either. Microsoft still has large market share in enterprise yet and will for a long time.<p>K8s and co is great where I can use it, but it shouldn&#x27;t be assumed that it will work everywhere let alone in most places in the wild yet. Hopefully that changes in the coming years.<p>Again: This is one anecdote. There are different slices of the market.<p>[1]: <a href="http:&#x2F;&#x2F;www.forbes.com&#x2F;sites&#x2F;curtissilver&#x2F;2016&#x2F;10&#x2F;03&#x2F;skyminds-deep-learning-skil-seeks-to-clean-up-enterprise-data-junk-drawers&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.forbes.com&#x2F;sites&#x2F;curtissilver&#x2F;2016&#x2F;10&#x2F;03&#x2F;skyminds...</a>

I work for Pivotal, which has a slightly different horse in this race: Pivotal Cloud Foundry. It&#x27;s based on the OSS Cloud Foundry, to which Pivotal is the majority donor of engineering.<p>Lots of customers want multi-cloud capability: they want to be able, relatively easily, to push their apps to a Cloud Foundry instance that&#x27;s in a public IaaS or a private IaaS. They want to be able to choose which apps go where, or have the flexibility to keep baseload computing on-prem and spin up extra capacity in a public IaaS when necessary.<p>It also happens that lots of CIOs have painful lockins to commercial RDBMSes, and they don&#x27;t want to repeat the experience. They want to avoid being locked into AWS, or Azure, or GCP, or vSphere, or even OpenStack.<p>CF is designed to achieve all of these. The official GCP writeup for Cloud Foundry[1] literally says &quot;Developers will not be able to differentiate which infrastructure provider their applications are running in...&quot; (can&#x27;t say I <i>completely</i> agree, GCP&#x27;s networking is pretty fast, which is I guess what happens when you have your own transoceanic fibre).<p>If I push an app to PCFDev -- a Cloud Foundry on my laptop -- it will run the same way on a Cloud Foundry running on AWS, GCP, Azure, vSphere, OpenStack and RackHD.<p>[1] <a href="https:&#x2F;&#x2F;cloud.google.com&#x2F;solutions&#x2F;cloud-foundry-on-gcp" rel="nofollow">https:&#x2F;&#x2F;cloud.google.com&#x2F;solutions&#x2F;cloud-foundry-on-gcp</a>

Can&#x27;t you just, like, go dedicated first ? Or better, start dedicated and turn up cloud every day at 6pm when your traffic is 10x (really, none explained how they can scale their db that fast(because you can&#x27;t), only the app-tier, which is probably badly-designed to be that slow).

We&#x27;ve done our own hosting for twelve years now; hundreds of physical servers in a co-lo. We do continuous deployment (have for basically ever) and multiple identical shards with horizontal balancing, so there&#x27;s almost no &quot;special&quot; server that we can&#x27;t afford to lose or upgrade.<p>While our hardware and ops team and premise costs are a little lower than high volume EC2 to the same scale, the real win comes at the network. High quality transit through multiple redundant links, high capacity routers, our own BGP, is all much lower cost and more flexible than we can get from EC2. It&#x27;s not even in the same ballpark! (Also, we out put SSDs into databases years before they were usable in EC2, so there was a win there, too!)<p>Finally, we&#x27;re hiring into our on prem team :-) <a href="https:&#x2F;&#x2F;IMVU.com&#x2F;jobs" rel="nofollow">https:&#x2F;&#x2F;IMVU.com&#x2F;jobs</a>

This is an interesting post, as Gravitational is doing something very similar to us - <a href="https:&#x2F;&#x2F;jidoteki.com" rel="nofollow">https:&#x2F;&#x2F;jidoteki.com</a> - in fact that blog post reflects much of what I wrote a year ago on our company blog - <a href="http:&#x2F;&#x2F;blog.unscramble.co.jp&#x2F;post&#x2F;134388066008&#x2F;why-we-care-about-on-premises" rel="nofollow">http:&#x2F;&#x2F;blog.unscramble.co.jp&#x2F;post&#x2F;134388066008&#x2F;why-we-care-a...</a>. We focus on the more commonly known concept of on-prem (not AWS&#x2F;Kubernetes), in other words on dedicated hardware in a private datacenter or hosting facility, by creating fully offline, updateable, and secure virtual appliances designed specifically for self-hosting.

Small team here... 20 customer on-prem. It takes more than a year to update all of them. In some cases &quot;policy&quot; want us to connect staging over TeamViewer sharing mouse with the the DBA.<p>CI is basically impossible to accomplish.<p>It is hilarious discovering a bug after both (us and customer) approval to go live with the last version.<p>The most exotic technology we have implemented is a CDN to speed up some component&#x27;s delivery. And... In some cases we did not yet have authorization for that.<p>Honestly... on-prem is perfect to preserve your job... but man...

The whole point of cloud and one of the main drivers for rapid adoption has been that it removes the need to invest and manage your own hardware, staff and capex.<p>Amazon, Google or others takes care of that unless regulations require you to be on-prem.<p>It never really had anything to do with the lack of software or management tools. Not to take away from Kubernertes but Vmware, Cisco, Microsoft and other enterprise vendors have always had this market sealed up with relatively sophisticated capabilities.<p>Things like Vcenter seem far ahead in terms of management, capabilities, feature set, policy and fine tuned for enteprise use. Just taking distributed storage as an example where options like VSan, Nutanix or ScaleIO do not really have any open source counterparts. But this is not surprising given the billions of dollars spent in enterprise.

The biggest obstacle is going to be keeping yourself lean in the face of employees that want to build their own empires internally.<p>Since I worked at Amazon for 5 years I saw how to cut costs on networking and hardware and to build only as much as you actually need. My experience after working at Amazon is that most Enterprise IT is full of people who hide behind Best Practices in order to expand their budget.<p>You can very easily wind up with massive amounts of spending to VMWare, EMC and Cisco. Unless you have an executive with a vision on how to contain costs with networking, storage and servers, I wouldn&#x27;t recommend on prem, you can easily wind up spending an order of magnitude more than you should be.

We&#x27;ve been running a hybrid on-prem solution for nearly 3 years now. It&#x27;s been challenging, but Kubernetes has drastically simplified it for us. It now means we can spin up a client site in 1-2 business days, provided we have a server on-site ready to go.

I think unless there is a big turn of the tide, supporting on-prem is just trouble these days. Most large enterprise customers are willing to use SaaS already.<p>Forget about the huge issues in the support organization for a second: the impact on-prem has on your release cycle has consequences that are hard to fully grasp. So much for &quot;continuous development and release&quot; if you have to keep supporting old versions of software for a year.<p>Build your stack so that you can easily migrate clouds (i.e. don&#x27;t use all the super high-level AWS APIs). It&#x27;s a good idea in general, and it should make going on-prem doable enough if you are worried about having that option at all.

The managed services are the killer feature in the Cloud, RDS Aurora or DynamoDB especially for AWS, and once your DB is in AWS you pretty much have to put everything else in there.

The product I work on started life as an on-prem-only software. We&#x27;re mostly hosting customers in AWS these days.<p>The smallest on-prem customers run on a single server. We have multiple separate web applications, and a couple separate backend services. In AWS, we have each separate web app&#x2F;backend service on its own set of auto-scaling EC2 instances, and have ELB+haproxy and some scripts to manage everything. Each customer (100s) get their own DB, but the DBs are all hosted across a few actual DB servers.<p>We use the same codebase for on-prem and AWS, and there&#x27;s really not much difference in operation: as far as the applications are concerned, on-prem is just the same multi-tenant environment that happens to have a single tenant.<p>However, I would absolutely go all-cloud if I could. Two major reasons: AWS&#x2F;cloud services, and database.<p>The first point is easy: we just can&#x27;t really use any AWS or other 3rd party SaaS stuff ourselves, other than for our own support infrastructure. The app has to deploy to a self-contained on-prem environment. This is really both a blessing and a curse. On one hand, we have to re-invent some things that could otherwise be off-the-shelf from AWS or other offerings. On the other hand, while switching to another cloud would not be trivial, there&#x27;s nothing in our core application code that relies on AWS at all.<p>This also makes our technology stack a bit constrained: we could benefit immensely from a time-series database, but instead we use a RDBMS (MS SQL Server) because, well, we have enough trouble with on-prem administering the database as it is.<p>The second point -- database -- is the cause of so, so much frustration. Very few people can run databases well. It&#x27;s the same old story: when you&#x27;re small, it&#x27;s no problem, but as you grow the DB performance becomes critical (for reference, while our smaller customers have DBs that are 1-2GB, dozens of our customers have DBs in the 100s of GB, and a couple are over 1TB, and typically there&#x27;s about 15% inbound data per day, though after processing not that much gets stored). I&#x2F;O speed is always an issue.. we&#x27;ve had customers trying to run with their I&#x2F;O on a NAS that&#x27;s also shared with a dozen other applications (&quot;We spent 100k on our NAS and the sales guy said it&#x27;ll do everything, so it must be your application that&#x27;s slow&quot;). I have heard our customers say things like &quot;But I can&#x27;t make a full database backup, I don&#x27;t have enough disk space&quot;.<p>There&#x27;s also the inevitable &quot;what hardware do I need to buy?&quot; question, that even our own sales team is frustrated by. Overspec, and they are upset at cost, or -- probably worse -- are frustrated you made them spend all that money when their machine sits mostly idle. Underspec, and it&#x27;s now your problem that it doesn&#x27;t work, because they bought what you told them. It took me months before I convinced even our own team the best we can do is provide a couple examples of hardware setups, and caveat the heck out of it (&quot;with this many devices monitored, with an average of this many parameters, at this frequency, with this many alerts configured, this many concurrent users,&quot; etc).<p>It can be hard enough to isolate the performance problems under load when you operate the whole stack -- it&#x27;s incredibly difficult when you can only approximate a customer&#x27;s setup, and even then, you have to somehow convince them their DB config or I&#x2F;O is inadequate and then need to spend money to fix it.

Are your premises in a flood plain? What about those of your power supplier and network supplier? These are important questions for many of us.

Reading through the bullet points near the top, I was mostly on board until this one:<p>&gt; Economies of scale: some customers have the capacity and ability to acquire and operate compute resources at much cheaper rates than cloud providers offer.<p>AWS is probably spending a billion dollars per year or more on hardware... they get special things that are not available to the public like chips and hard drives. You really can&#x27;t compete with that.

I work in on-prem infrastructure software. The reasoning that our customers have given us is that they care about security. We have to deploy to customers who don&#x27;t air gap their systems, but have fun access control policies. For example, we regularly support customers who have issues using a web session. We can&#x27;t control their computers, but we can ask them to type (or copy and paste) anything in we&#x27;d like. Often times, the commands we ask them to run are like: [K || K = {kv, [navstar, _]} &lt;- ets:lookup(kv)]. Do you know what that does? I can almost assure you that our customers do not. We ship compiled binaries to the customer, and although we would never ever send them code that could hurt them, we link against a dozen libraries (that we ship), and who knows who could have poisoned those?<p>We also have a requirement for our software that time has to be synced. We also recently started to actually check if people&#x27;s time was synced (using the requisite syscalls), and it quickly became our #1 support issue for a little bit. Customer environments are far too uncontrolled to simply be tamed by such a system as Kubernetes.<p>I think that if you can avoid on-prem software and use XaaS, you should. You probably don&#x27;t need to run your own datacenters, databases, etc.. because it&#x27;s unlikely that you&#x27;re better than GOOG, AMZN, Rackspace, DigitalOcean, and others. It&#x27;s very unlikely that your application will be running at sufficient economies of scale to benefit from the kind of work Amazon, and others have done to run datacenters efficiently at scale. Not only this, but Google has figured out how to run millions of servers.<p>Although GOOG &#x2F; EC2 tend to makes hardware available (NVMe, SSDs, etc..) far after the market releases it, if you compare it to enterprise hardware cycles, it&#x27;s lightning fast. We still have customers who run our system on SAS 15K disks, and prefer that over SSDs, even though we recommend it. On the other hand, if you control the environment, rather than spending days, if not months on how to make your application more I&#x2F;O efficient, you can simply spend a few more cents an hour, and get 1000 more IOPs.<p>I have a technique (Checmate) to make containers 20-30% faster and expose other significant features. Unfortunately, we have customers which run Docker 1.12, the latest version of our software, want to use containers, and yet they want to use a kernel no newer than a third of a decade old. I literally have spent months making code work on old kernels, at significant performance, and morale cost. If we controlled the kernel, this wouldn&#x27;t be a problem, and it&#x27;s yet another problem that K8s cannot solve.<p>Lastly, networking on-prem tends to be an afterthought. IPv6 would make many container networking woes go away nearly immediately. Full bisection bandwidth could allow for location oblivious scheduling, making the likes of K8s, and Mesos significantly simpler. BGP-enabled ToRs give you unparalled control. Unfortunately, I have yet to see a customer environment with any of these features.<p>I really hope the world doesn&#x27;t become more &quot;on-prem&quot;.

This can help get your SaaS to be on-premises: <a href="https:&#x2F;&#x2F;jidoteki.com" rel="nofollow">https:&#x2F;&#x2F;jidoteki.com</a>

He runs an on-prem services company. So, of course, it&#x27;s time to reconsider going on-prem.

Nope it is not.<p>Going on premise might have some advantages but it comes with completely different problems that you didn&#x27;t even thought about. Some of them:<p>* You thought of all the power redundancy, ideal cooling, humidity, etc... but then your office gets robbed and all your computers stolen.<p>* Network wiring... some people are lousy, create an entire spaghetti mess with them, used a crappier type of cable, cable crosstalk from other equipment, someone stepped over a cable and damaged it. Which one is it? good luck finding it out.<p>* Hardware fails, power supplies fail, disks fail, everything can fail.<p>You can pick these battles, or you can focus on your software based service. I suggest the latter.