We are excited to announce that on September 12th, 2014, we will be migrating the CTO blog to a new version of the blogging platform.
brucedavie

Network Virtualization in the Software-Defined Data Center

January 4, 2013

This post co-authored by Bruce Davie, Martin Casado, and Brad Hedlund

VMware has long been known as the company that changed computing by virtualizing servers. At Nicira, we set out to disrupt networking just as VMware disrupted computing, by virtualizing networks. The analogy between network virtualization and server virtualization can be a helpful one, but it is still only an analogy, and analogies can only take you so far. The point of this post is to dig a bit deeper into network virtualization – what it is, what it means for the industry, and how VMware, in the aftermath of the Nicira acquisition, plans to change networking.

Just as server virtualization introduces the abstraction of the virtual machine, network virtualization introduces the virtual network abstraction. A virtual network provides all the properties of a physical network, but does so in a way that is decoupled from the underlying physical hardware. Consequently, the operational model for virtual networks closely resembles the model for VMs: a virtual network can be deployed on any vendor’s hardware; services are decoupled from the physical location of devices; and new virtual network services can be deployed non-disruptively over existing data center networks.

A direct consequence of this change is that all of the state associated with a virtual network can be managed programmatically, which leads to the same operational benefits provided by virtual machines. For example, all of the configuration associated with a virtual network configuration can be ‘snapshot’ at any point in time, stored in a single file, archived, rolled back, cloned, recreated, audited for compliance, etc. All of this can be done by making a simple API request to a logically centralized controller that has a complete view of the virtual network. The legacy approach of capturing and auditing a large set of individual hardware device configurations is no longer necessary.

Networking and the Software Defined Data Center

It should not be surprising that network virtualization has become a core part of VMware’s strategy. In 2012, VMware launched the Software-Defined Data Center initiative. Steve Herrod has defined the SDDC as “where all infrastructure is virtualized and delivered as a service, and the control of this data center is entirely automated by software.” The key word is “all” – we need to be able to virtualize other aspects of the data center, notably networking and storage, to fully deliver the promise of virtualization. This enables data center operators to quickly and efficiently provision not just VMs but complete data center workloads – a collection of computational, storage and networking resources that are provisioned and managed in software.

Indeed many of most pressing issues in modern data centers are solved by network virtualization. The time required to provision new services is top among these. Traditional networking hardware hinders the deployment of new data center workloads, requiring careful configuration of features on the routers and switches depending on the location of the physical servers in which the workloads are to be run. By contrast, a virtual network can be provisioned and configured purely in software – by calling a set of REST APIs supported by the network virtualization controller. The advantage of this approach is captured in this quote from one of Nicira’s early customers, J.C. Martin, Cloud Architect of eBay:

“Working with Nicira we have removed the last big barrier, the network, from creating computing resources on demand. We can now provide these resources in a minute versus hours or days.”

Network is a barrier to SDDC

Resource usage efficiency is another data center issue that network virtualization helps to tackle. Traditional mechanisms to provide isolation of network traffic among tenants in a data center (e.g., VLANs) typically restrict workload placement, with the result that some available capacity goes unused, lowering resource usage efficiency. Since network virtualization removes these restrictions, the computational and networking resources of the data center can be treated as resource pools, and workloads draw from those pools without restriction on where they are placed. The net result is improved efficiency in the usage of both servers and networking equipment, and the savings can be substantial.

As noted above, virtual networks are decoupled from the underlying networking hardware. This means that the hardware can be upgraded, capacity can be added, a new vendor’s equipment can be deployed, all without changing the virtual networking abstractions that are delivered by the network virtualization platform. This leads to data centers that are more efficient and able to evolve to meet the needs of the applications they support.

VMware’s Network Virtualization Platform

In acquiring Nicira, VMware acquired the leading network virtualization company, and Nicira’s platform, NVP. And VMware has its own network virtualization capabilities pre-dating the acquisition, the vCloud Networking and Security (vCNS) product. As these two products are merged together, the result will be a single network virtualization platform that can work with any hypervisor, and will support all open cloud management systems (CMS), including OpenStack.

In addition to supporting a full range of CMS and hypervisor types, NVP will also extend its ability to bridge the physical and virtual worlds. Today, physical workloads can be bridged into virtual networks using a “gateway” device that maps virtual networks to VLANs or to VRFs (virtual routing and forwarding tables). In the near future, physical switches and routers will also be able to participate in virtual networks, providing high-performance and high port density connectivity to physical workloads.

The virtual network abstractions offered by the platform will support a growing set of L2-L7 network services in an effort to provide everything existing workloads require from the network today. This includes (but is not limited to) layer 2 segments, security and QoS policies, routing, NAT, load balancing, traffic monitoring, statistics, etc. From these base abstractions virtual topologies of arbitrary complexity can be created, and managed programmatically with all of the operational benefits mentioned above. The diagram below shows a simplified example of a virtual topology from a production deployment.

Logical Topology

The Road Ahead

Moving forward, VMware is going to redefine both the economic and operational paradigms in networking. We are not just fixing the problems that traditional networking has caused in the data center, but we are changing the way networks can evolve. The following are a few thoughts on that evolution.

Networking will now evolve at software speeds. Software can be upgraded without disruption to existing logical networks – as we have already done with our customers – and new networking features can be deployed non-disruptively at software release timescales.

While networking hardware continues to be important, its evolution is decoupled from the virtual networks that it supports. This has the potential to allow a greater range of hardware players and different business models. This applies to all levels of the protocol stack from switching to higher layer services.

Network virtualization will introduce new operational and security paradigms that simply aren’t conceivable today. We will move away from a model of networking that requires configuration of each individual device to be handled separately to a model where the fundamental abstraction is the virtual network, not the device, and the management of virtual networks is handled in a logically centralized way. With the edge of the virtual network being the vswitch in the hypervisor – giving access to packets as they leave or enter the guest OS – and with a global view of virtual network state, entirely new security policies become possible. For example, packets can be annotated with rich semantics extracted by the hypervisor from the VMs, allowing for in-network services to operate over semantically meaningful identifiers, such as users or applications, with a fidelity not possible from a network-only position.

So these are exciting times for networking. There have been quite a few misperceptions about network virtualization, most of which stem from viewing it as fixing one point problem in networking (e.g. VLAN limitations, hardware cost, etc.) In fact, we see it as much bigger than that – it is a shift in how networks are built, deployed, managed, operated and monitored, arising from the introduction of a powerful new abstraction, the virtual network. As with server virtualization, it’s likely to take a while before this shift is fully accepted, but the early adopters are already reaping the rewards, and we expect adoption to pick up steam in 2013.

Tags: , ,

brucedavie

Bruce Davie

Principal Engineer, Networking & Security

Bruce Davie is a Principal Engineer in the Networking and Security BU. He joined VMware as part of the Nicira acquisition, and focuses on network virtualization. He has over 25 years of networking industry experience, and was a Cisco Fellow prior to joining Nicira ... More

Leave a Reply