Advantages of network virtualization impress, but hurdles remain

With the advent of NFV, IT managers are finding new ways to improve data center networking.

Server virtualization transformed IT operations, and now data centers are facing another transformative technology as more of the network is virtualized. With the introduction of network functions virtualization, a single physical host can house a multi-tier application without traffic ever traversing a physical network. Network functions virtualization (NFV) enables the virtualization of a network device or function, and in turn allows the user to profit from the many advantages of network virtualization.

The foundation of NFV is the virtual switch, which is as old as server virtualization, and, in its most basic form, provides Layer 2 connectivity between VMs on a single host. Over the years, virtualization vendors have added capabilities to virtual switches.

From a logical perspective, virtual switches provide much of the same functionality as the traditional top-of-rack switches. Today, for example, it's not uncommon to see a virtual switch with several virtual LANs (VLANs). A handful of VMs communicating with each other via a virtual switch is a basic example of network virtualization.

Inter-VLAN traffic, meanwhile, is provided via a trunk between a virtual switch and the physical network. The traffic traverses the physical port of the host server. Essentially, the physical server port serves as an uplink port of the virtual switch. If two VMs residing on the same physical host --but on separate VLANs -- needed to communicate, the traffic is routed to the physical network. At that point, a firewall could be used to filter traffic between the two hosts.

The introduction of NFV takes network virtualization to another level. A simple example is a virtualized firewall. Layer 2 firewalls have long run on standard x86 physical hardware. Just as with any other x86 workload, a firewall can be delivered as a virtual appliance. Now consider our example of two VMs needing to communicate across separate VLANs. Adding a virtual firewall and connecting a virtual port to each VLAN enables traffic filtering across VLANs without ever leaving the physical host.

With traffic remaining with the physical host, the effect is that the physical network is unaware of any VM-to-VM communication. Within a single host, we've established a virtual network -- one that also extends to physical hosts.

Most server virtualization platforms incorporate the concept of the distributed switch, which is a virtual switch that stretches across multiple hosts. A centralized controller acts as the control and data plane of the distributed switch.

In VMware, the controller is vCenter. In KVM and XenServer environments, it's the open vSwitch database. In the physical world, a distributed switch is comparable to the stackable switch architecture. The switching modules on each physical host are a component of the centrally managed distributed virtual switch.

The physical network participates in routing packets from hypervisor to hypervisor. There isn't a requirement for the physical network to participate in VM-to-VM communication. The distributed switch forms a logical network overlay on the underlying physical network. Independent NFV devices run on the network overlay.

Refer to our simple example of a two-tier application. The virtualized firewall can exist on one host and the VMs could reside on two other hosts. VM-to-VM routing and traffic filtering can take place with the only participation of the physical underlay being host-to-host packet delivery.

With network virtualization, we recreate the physical network as abstraction within the hypervisor. The obvious question is: To what end?

The technical advantages of network virtualization are numerous. This approach allows for application and workload mobility. Layer 2 domains easily extend not only between data centers but also between platforms such as public cloud and on-premises infrastructure. Most of these features, however, can be achieved using traditional network technologies. The one exception is network segmentation for virtualized workloads.

One of the most compelling technical use cases for the advantages of network virtualization has been the ability to offer network segmentation at scale. Network segmentation, which is sometimes referred to as micro-segmentation, enables organizations to create granular rules between workloads. Unlike traditional Layer 3 firewalls that base rules on IP segments, network segmentation allows filter rules as granularly as the VM-to-VM level -- regardless of the IP segment. VM-to-VM level segmentation allows for the implementation of a zero-trust policy.

Zero-trust security use case

A zero-trust policy doesn't assume a node receives an implicit trust relationship because it shares a network segment. Controlling security at the network layer requires a security device capable of inspecting all Layer 2 traffic. It would be impractical to perform this level of filtering with physical devices. However, since the virtual switch resides within the kernel of the hypervisor, the CPU cost of filtering at the hypervisor level is nominal compared to the cost of performing the same inspection with physical devices. It becomes practical to scale zero-trust security in a virtual network.

The technology roadmap becomes much more interesting when you combine the concept of the network controller with network virtualization. With the control plane and the data plane abstracted from the physical network, an organization can support a truly agile environment. Given that the network is an overlay, it can run on any type of network, including public cloud providers.

One of the challenges in implementing hybrid cloud is the separation of Layer 2 network domains and security. For example, Amazon Web Services (AWS) uses IP tables to manage zero-trust between instances. An administrator must manage two separate firewall policies to allow traffic from on-premises compute and compute hosted in AWS. With network virtualization, the policy can be managed via a single network controller, which receives its policy from a CMP or network management system.

VMware's NSX is an example of a product that offers compelling integration between the network and the x86 virtualization stack. The NSX firewall can manage zero-trust policies based on virtual machines. Since both the firewall rules and VMs exist as objects within vCenter, the policies can live or die with the VMs. The converged management is a powerful abstraction.

Those who have had to endure a firewall rule audit will appreciate the ephemeral nature of NSX firewall rules. Take, for example, a firewall rule that allows HTTP traffic between two VMs. If one of the VMs is deleted in vCenter, the firewall rule is deleted. The abstraction of firewall rules allows for simplified security audits.

Most organizations aren't ready to turn over their entire infrastructures to a combined model of application development and infrastructure management. One of the advantages of network virtualization is that it allows for a gradual deployment, instead of simply handing over the keys immediately.

A typical use would be an isolated portion of the infrastructure run by a cloud management technology such as OpenStack. The underlying infrastructure could be all hypervisors interconnected by white-box switches running OpenDayLight. As requirements come for additional applications, the infrastructure can be expanded with additional hypervisors or extending the infrastructure via a public cloud provider. Since it's all virtual infrastructure to the developer, it doesn't matter.

The complexity of network virtualization

Network virtualization is not without its challenges. While network controller technology has improved, managing virtualized networks is still a frustrating proposition. Some of the aggravations arise from immaturity of the network controllers themselves; some come from a lack of visibility between the physical and virtual networks.

There aren't standards for management of virtual and physical networks. If you want robust management data between the two environments, it's best to go with an integrated tool from a provider such as Cisco, Juniper or Brocade. This, however, runs counter to the desire to have a network overlay that's independent of the physical underlay.

A second challenge is extending the flexibility of the virtual network to the physical network. Features such as network segmentation are useful only if the traffic flow traverses the hypervisor. If communication occurs between the two physical hosts, then the zero-trust policies must be enforced via a physical component that is separate from your virtual network. This becomes difficult to maintain, and is similar to the challenge of maintaining security domains across on-premises and public cloud resources.

Network virtualization has the potential to significantly change data center networking, not unlike the effect of server virtualization. But adopting SDN requires new thinking, and it can be seen as a disruption to traditional IT practices. To an organization that is primarily virtualized and looking to deploy a cloud or Platform 3.0 application, network virtualization would be of great value. For traditional enterprise applications, the advantages of network virtualization are negligible beyond network segmentation for the VM footprint.

Next Steps

Making the change from on-premises to cloud-based infrastructure

The building blocks of software-defined networks

Converting a Layer 2 to a Layer 3 switch

The differences between SDN and NFV

Dig Deeper on Network virtualization