Now that VMware has conquered data center computing via server virtualization, the company is opening a beachhead on the network via its NSX product, which is being officially launched today at VMworld in San Francisco.
VMware NSX is a software-defined network (SDN) that uses controllers and overlay networking. I'll examine just a few of the key aspects of the announcement and how they apply to your data center strategy.
Overlay networking refers to the use of protocols such as VXLAN and STT to create a virtual network between hypervisors. As data flows from the guest VMs and into the network, the Ethernet frames are encapsulated.
I've written previously about the value of overlay networking, but the following are the key points to note about VMware's approach:
First, you only have to configure the physical hypervisor network port once with a single IP address, because the overlay tunnels are sourced from an IP address. Second, it dramatically reduces VLAN consumption. Third, it works on existing data center networks, though it will work better on an Ethernet fabric.
Networks Agents as Software
The foundation of VMware NSX is the software network agent, called a virtual switch, which is based on the Open vSwitch project. NSX replaces VMware's vSwitch and the vShpere Distributed Switch (VDS) to provide true networking. The existing vSwitch/VDS product performs very little real networking--it's more of an automated virtual patch panel. Forget what you know about vSwitch or VDS: NSX replaces and upgrades its capability to become a true networking device.
The NSX network agents support switching and routing in the network by selecting the correct tunnels as the forwarding path. This is illustrated in the following diagram showing a full mesh of tunnels between three physical servers.
The upshot is that the network agent can now function as a switch or router, as illustrated below.
VMware NSX will ship with network agents for VMware ESX, Linux KVM hypervisors for CloudStack and OpenStack, and Microsoft Hyper-V. For VMware and Linux, the NSX switch is part of the kernel. Hyper-V uses a guest VM today, but the existence of Microsoft's Hyper-V extensible switch architecture may indicate that NSX should soon have better integration with Hyper-V.
The notion of controller-based networking grew out of research from Stanford University starting in 2005. For the last 30 years, network devices have operated independently and autonomously. Network configuration is regarded as a high-risk activity because of the potential impact of individual changes. This means provisioning new network services or making adjustments to existing configurations is time-consuming and fraught with potentials for mishaps.
A controller provides a central point for configuration of the network. In addition to understanding network state, the controller can be used to expose interfaces, usually in the form of APIs, to applications that require network services. This is a better match for speed and scalability available with server virtualization. It also makes possible an environment where software applications can drive the network for real services and business value.
Another key aspect of controller-based networking is the ability to integrate network automation with server automation. VMware vCenter is a "hypervisor controller" and acts as a central point of administration for the ESX infrastructure. When a site deploys vCloud Director, then integration with the network controller becomes possible.
Consider what this means: For the first time, the network engineer can be fully informed about the servers and applications that are connected to any part of the network. VMware NSX provides visibility into the network adapter in the hypervisor, and knows the server name and the OS. When using VMware vCloud it's also possible to identify which segment of the network the server/s belong to. Of course, centralized logging and encrypted management protocols provides greater security assurance.
The value of VMware NSX is that it has the technology to create a virtual data center. In the following diagram I show how overlay networking builds segregated networks: two overlay networks are fully isolated from each other by the VXLAN header tag (which is similar to MPLS from a security perspective) and there are virtual machines connected to each virtual network.
The overall purpose of segregation within a data center is to provide defense in depth, but today's network tools that provide isolation are poor. Virtual contexts are limited in number and hard to maintain, MPLS is expensive and complex--the list of problems goes on.
The notion of the software-defined data center (SDDC) is about defining services. The following diagram shows a new network segment with a typical Web application with a single firewall.
The external firewall is based in a virtual machine and has specific properties, but the firewall between the WEB/APP layer and APP/DB layer is provided by NSX.
VMware says it has taken a significant part of the existing vCNS Edge software code and ported it to the NSX platform. As a result, the NSX agent has a full stateful firewall capability that offers a completely different approach to data center security. Instead of deploying a physical firewall in the core of the network, NSX can deploy a firewall to each and every VM that has a configuration that is derived from the NSX Controller, which is related to the vCloud inventory.
VMware NSX is a solution for programmable and dynamic networking service that interoperates with VMware vCloud director, OpenStack or Hyper-V--this is where the real value is derived. In the near future, servers will no longer be "operating systems" but "application containers." Instead of installing an application onto a operating system, the application will part of a service template that will do most or all of these:
--allocate resources such as CPU, memory, networking and storage
--deploy networking services such as firewalls and load balancing
--configure storage services such backup and recovery
--update security register and schedule compliance checking
--update asset register and chargeback
The demonstration and presentation on VMware NSX exceeded my expectations for the first generation of a product. I am somewhat concerned that the NSX technology is trying to tackle too much for the first release. That said, the NSX team points out that the Nicira product, on which NSX is built, has been in deployment for a couple of years, and this experience has been built into the code.
Combined with other features in VMware vCloud 5.5 in storage, scaling and features, it's clear that VMware continues to innovate, but IT professionals should still be concerned about reliability and functionality. At the same time, a change of this magnitude will require a massive sales effort to help customers to understand the transition to the private cloud in a market where customers are hunkering down to "do more with less."