VMware NSX: Game Changer for Data Center Networks

Posted by Greg Ferro
August 26, 2013

The value of VMware NSX is that it has the technology to create a virtual data center. In the following diagram I show how overlay networking builds segregated networks: two overlay networks are fully isolated from each other by the VXLAN header tag (which is similar to MPLS from a security perspective) and there are virtual machines connected to each virtual network.

The overall purpose of segregation within a data center is to provide defense in depth, but today's network tools that provide isolation are poor. Virtual contexts are limited in number and hard to maintain, MPLS is expensive and complex--the list of problems goes on.

The notion of the software-defined data center (SDDC) is about defining services. The following diagram shows a new network segment with a typical Web application with a single firewall.

The external firewall is based in a virtual machine and has specific properties, but the firewall between the WEB/APP layer and APP/DB layer is provided by NSX.

VMware says it has taken a significant part of the existing vCNS Edge software code and ported it to the NSX platform. As a result, the NSX agent has a full stateful firewall capability that offers a completely different approach to data center security. Instead of deploying a physical firewall in the core of the network, NSX can deploy a firewall to each and every VM that has a configuration that is derived from the NSX Controller, which is related to the vCloud inventory.

VMware NSX is a solution for programmable and dynamic networking service that interoperates with VMware vCloud director, OpenStack or Hyper-V--this is where the real value is derived. In the near future, servers will no longer be "operating systems" but "application containers." Instead of installing an application onto a operating system, the application will part of a service template that will do most or all of these:

--allocate resources such as CPU, memory, networking and storage

--deploy VMs

--configure networking

--deploy networking services such as firewalls and load balancing

--configure storage services such backup and recovery

--update security register and schedule compliance checking

--update asset register and chargeback

The demonstration and presentation on VMware NSX exceeded my expectations for the first generation of a product. I am somewhat concerned that the NSX technology is trying to tackle too much for the first release. That said, the NSX team points out that the Nicira product, on which NSX is built, has been in deployment for a couple of years, and this experience has been built into the code.

Combined with other features in VMware vCloud 5.5 in storage, scaling and features, it's clear that VMware continues to innovate, but IT professionals should still be concerned about reliability and functionality. At the same time, a change of this magnitude will require a massive sales effort to help customers to understand the transition to the private cloud in a market where customers are hunkering down to "do more with less."

Greg Ferro is a freelance Network Architect and Engineer. You can email him, follow him on Twitter as @etherealmind. He also has a technical blog at EtherealMind.com and is the co-host of the popular and well known Packet Pushers podcast on data networking. He is nearly as grumpy as Mike Fratto.

Related Reading

More Insights