BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
SAN FRANCISCO -- VMware shops looking to craft software defined data centers have gotten some much needed help.
VMware has rolled out a handful of products to implement hybrid clouds on VMware and non-VMware platforms and to cut costs with less expensive white box servers.
A prime example of the company’s software defined data center (SDDC) push is the next version of its NSX 6.1 network virtualization platform. The new version aims to place more software-based network and security functions under purview of the data center virtualization team, functions now performed by physical switches and firewalls.
NSX 6.1, which was released at VMworld here this week, includes micro-segmentation where networking and security services are baked into the platform so wherever a virtual machine (VM) moves in a network, it is followed by security rules. IT managers no longer have to change rules in an individual physical firewall and when the enterprise decommissions the VM, the security rule disappears.
NSX security improvements will be a boon to data center managers to guard against internal data breaches using intra-data firewalls, but find it costly to use physical firewalls within the data center. NSX now permits intra-data center firewalling in a distributed manner at the vSwitch in front of a host. Data does not have to move across the data center to reach a firewall.
“This buys reduced capacity requirements on the firewall because you are doing it closer to the source,” said Andrew Lerner, an analyst at Gartner Inc. in Stamford, Conn.
These features could mean big savings in the data center, but the software is very new with limited adoption at this point, he said.
Micro-segmentation and security will continue to be of growing interest to enterprises long after VMworld is over, added Andre Kindness, an analyst at Forrester Research in Cambridge, Mass.
“You’re basically breaking firewalls into little bites,” he said. “If I can do 100 bits everywhere and sum it up it will be less expensive than if I have a 10 Gbps box.”
VMware’s micro segmentation defense
VMware’s version of micro segmentation, an implementation of Forrester’s Zero Trust Architecture, prevents hackers from breaching a data center and moving laterally across that data center hopping from one resource to another until they find what they are after, according to the company. IT shops often build too much security around the perimeter of the data center and have very little firewalling inside.
VMware also added some additional hybrid cloud connectivity in the form of a Layer 2 VPN service, which lets a data center administrator spin up a developer network in software with the exact IP machines as a production network. All of this is done in a software container, and administrators can have separate containers.
The company also added Equal Cost Multi-Path (ECMP) edge clusters, a high bandwidth uplink connection from the virtual to the physical network and made some improvements to vCloud 5.8 to boost interoperability. VMware said it will improve integration with vCloud Automation Center 6.1 by connecting dynamically created apps to a pre-created NSX logical distributed router. IT pros can isolate their apps by default and adapt pre-approved security policies.
“With 5.8 we focused on improving integration of the components within the vCloud suite instead of adding a lot of new features,” said Ed Hsu, director of product marketing at VMware for software sefined data center suites. He added however, the company did add new capabilities to its disaster recovery and business continuity so IT pros can do self-service, policy-based provisioning.
“We are supporting disaster recovery targets that may use a hyper-converged storage,” Hsu said. "So if you are using Virtual SAN, as opposed to a shared storage hardware array in your DR target site,that is now supported.”
What else is new?
VMware also debuted:
- VMware Integrated OpenStack to allow IT shops to more efficiently deliver OpenStack APIs and tools that work with their existing VMware infrastructure.
- VMware vRealize Suite that gathers together the company’s current cloud automation, cloud operations and cloud business management products in a single stack to manage software-defined data centers and public cloud infrastructure services.
- VMware vCloud Suite 5.8 designed to serve as an integrated platform for building and managing vSphere private clouds. It features enhanced policy-based provisioning that lets customers add compute, network, security, storage and new disaster recovery services to their applications and infrastructure.
With regard to better provisioning, troubleshooting and monitoring promised by new micro-segmentation features, the question isn’t whether IT shops can get the data. Rather, it’s more about making the data easy to interpret.
“That’s hard to do in most cases,” said Jon Langemak, a network engineer at a Midwestern healthcare company. “It will be interesting to see if this can tie into physical devices or just virtualized service appliances.”
The ECMP improvements directly address one of the product’s initial shortcomings, Langemak said.
“Good network design is predicated on Layer 3 ECMP,” he said. “Having multiple edges connected to different sets of physical gear makes a lot of sense. I’m hoping this enables your overlay gateways to be in different locations with dynamic routing handling ingress and egress into the overlay cloud.”
Whether IT shops will now extend VMware installations to include network virtualization depends on many factors, many of which are not technical but political. The latest advances to NSX will certainly be scrutinized by networking and data center administrators, who may be weighing the features against what is offered in the market by competitors, notably Cisco’s ACI product.
Enterprises must decide if they want all applications and services to run under the domain of a VMware administrator, said Brian Kirsch, a Milwaukee-based virtualization architect and VMware user group executive.
With this level of micro segmentation, IT shops can isolate different types of servers, plus security pieces, without additional overhead, bringing it down to a finer detail.
“But software is software and software can fail,” Kirsch said. “Physical devices can also fail, but if anyone gets under the hypervisor, you can compromise a lot of stuff. It hasn’t happened yet but that doesn’t mean it couldn’t.”
“VMware is a virtualization company and NSX is maturing,” he added. “It’s more mature than what Cisco has, but Cisco has a lot of networking experience.”
EVO:Rail makes its debut
VMware will finally debut its much rumored hyper convergence infrastructure appliance called EVO:Rail, formerly known as Project Marvin or Project Mystic. The offering is the first in a new family of hyper-converged infrastructure offerings to be delivered over the next few years, according to Mornay Van Der Walt, vice president of VMware’s Emerging Solutions group.
Aiming to make the procurement process easier for users, Van Der Walt said VMware will provide the offering through partners with a single SKU covering hardware, software, and support and services costs. Partners will serve as the single point of contact.
Users can only buy EVO:Rail through authorized partners, and not direct from VMware. This distribution strategy allows the systems hardware partners to handle what they do best namely the supply chain, manufacturing, fulfillment and support aspects, freeing VMware to concentrate on the software.
“Going to market through VARs and distributors, the customer is the one who ultimately wins through the simplicity of a single integrated SKU, lower costs and having to make only one support call,” Van Der Walt said.
While he declined to identify the new hardware partners, Van Der Walt did lay out the hardware requirements to run EVO:Rail. Users can start off with a single 2U, 4-node appliance and scale that to four nodes and four appliances giving them 16 nodes all together. Appliances added to an existing EVO: Rail cluster will be automatically discovered, he said.
“When you look at the specs we are prescribing for version 1: it is an Intel, Ivy Bridge E5 2620 – a 6-core CPU with 192 gigs per node. But these platforms are capable of going to 8 and 10 plus cores. That packs a big punch,” Van Der Walt said.