Network virtualization isn’t just about managing the network in a virtual environment, it’s about actually abstracting the physical network and its components, such as switches, ports and routers.
With network virtualization, you can group multiple physical networks into one virtual network, or separate a single physical network into multiple logical networks. Of course, network virtualization brings some challenges, including virtual switch management, security issues and virtual network traffic monitoring.
Expert Stephen Bigelow answers a few questions about network virtualization, the difference between internal and external virtual networks, and the pros and cons of virtual networking when it comes to resource usage, security and management.
What is network virtualization?
For example, storage virtualization allows an organization to gather up all of the storage resources in the organization into a common pool, and then allocate storage volumes from that pool – regardless of the type of storage or its physical location within the enterprise.
For network virtualization, abstraction isolates network traffic from the switches and network ports and routers and other physical elements within the network. Each physical element is then replaced with virtual representations of network elements. Administrators can configure the virtualized network elements to suit their unique needs. The main benefit here is that multiple physical networks can be combined into larger logical networks. Conversely, a single physical network can be broken up into multiple logical networks.
Since the abstraction of network virtualization effectively eliminates any correlation between traffic and physical network components, it’s important to include comprehensive management tools that can track and monitor the virtual networks that are ultimately created.
What’s the difference between internal and external network virtualization?
S.B.: External network virtualization is used with the network proper and affects the physical network elements like cabling, network adapters, switches, routers and so on. It’s how you combine multiple physical networks into larger logical networks, or break down a single physical network into multiple logical networks.
Internal network virtualization is used to create one or more logical networks by defining logical switches and network adapters within a virtualized server itself. The internal virtual network can interconnect two or more virtual machines (VMs) operating on the server and allow those workloads to exchange data within the server without ever passing that data onto the physical network infrastructure. This is a much faster and more efficient means of letting related workloads communicate within the server – while minimizing traffic on the physical network.
However, internal network virtualization makes workload balancing and migration a bit more problematic. Normally workloads can be migrated to any virtualized server with the computing resources available to support it. When workloads are connected with an internal virtual network, they may need to be migrated together to the same server. Otherwise they will need to pass their data onto the external network, and this might cause an unacceptable (and unexpected) spike in traffic which might disrupt other network traffic.
What is the technical process that virtual network software uses to virtualize a network?
S.B.: I can give you a brief overview: The idea of virtual network software is to introduce a layer of abstraction (using software) which will decouple traffic from physical network elements. At the same time, network virtualization will also create virtual components such as virtual network adapters and virtual network switches. An administrator can combine those virtual network elements in almost any manner to shape a network of any size and scope for the organization, or create multiple networks that will share the same physical network infrastructure.
Network virtualization requires network virtualization (VLAN) software on each virtualized server as well as within switches (such as “intelligent” switches) and other network devices that support network virtualization. When you consider the mix of devices that might need to be virtualized on the network, it’s important to integrate hardware and software elements that will all work together to support network virtualization. As an example, Citrix and Vyatta provide virtual network software offerings that can create a complete virtualized network stack for an organization.
How does network virtualization improve network resource usage?
S.B.: It’s all about making the most of what you have. We’ll start with internal virtual networking because that’s easier to understand.
For an internal virtual network, various workloads can network with each other within the server across a software-based virtual switch and virtual network ports. When two VMs on the same server exchange data, no traffic goes out onto the external network. The workloads simply exchange data between locations in the server’s memory. This offers extremely fast performance for data transferred between the workloads. In addition, that data does not need to go out onto the external network, so bandwidth is freed for other servers and tasks out on the network.
It’s a little different for external networks where network virtualization is used to segregate and isolate networks to improve traffic flow and increase security. Rather than creating multiple networks for storage and company departments, network virtualization can shape network sizes to accommodate each group or use case without the expense or overhead of building multiple physical networks. As a simple example, network virtualization can isolate a company’s HR data from its production data and from its accounts payable data, but all of those departments still use the same physical network.
There is also just one physical network to maintain and manage, so there is some management efficiency because management doesn’t require multiple toolsets for each network.
How can network virtualization improve security?
S.B.: The basic idea here is to use network virtualization to restrict where certain types of network traffic go within the physical network. Since only network nodes that are configured as part of a given virtual network will send or receive data on that virtual network, the traffic tends to be more secure. Note that network virtualization by itself is absolutely no guarantee of security, but its ability to organize and restrict traffic can help prevent unauthorized nodes from accessing sensitive data. For example, you might create a virtual network to handle VoIP data, and only users that are authorized to use VoIP would have access to that virtual network.
What are some of the challenges of managing virtual switches?
S.B.: There are several notable challenges with network virtualization and virtual switch management. A major issue is political conflict between network administrators and server administrators when virtual network components are created within servers. The task of creating and managing virtual network elements often falls to server administrators – leaving network administrators unable to manage (or even see) some parts of the network.
Also, since the network traffic between internal VMs never leaves the physical server out onto the physical network, there is no practical way to monitor or manage that internal virtual network traffic. This creates a lack of oversight. That data cannot be seen by the physical network and, consequently, by network firewalls, Quality of Service tools, Access Control Lists and IDS/IPS systems that are designed to protect servers at the network layer. Administrators are often left without important network performance or security information.
There may also be a lack of functionality or granularity of control. Virtual switches often include few (if any) powerful features, so there isn’t nearly as much control as an administrator might expect from a current physical switch. The loss of control and visibility can potentially weaken network security.
This was first published in September 2011