Unveiling Software-Defined Networking and Security at VMworld 2012
As VMworld 2012 kicks off in San Francisco I couldn’t be more excited. The sheer breadth and depth of VMware and partner solutions being showcased and launched as part of the software-defined datacenter (SDDC) is staggering, with a ton of activity happening around two key pillars of the SDDC – software-defined networking (SDN) and security.
In previous posts, I wrote about the need for a new networking and security architecture, and its role in the SDDC. As we spent time working through the product release, and integrating with several partners, we began to see certain patterns emerge in realizing the software-defined networking and security architecture. The following picture is a fairly succinct view of the stack – it should come as no surprise that some of these patterns are similar to the corresponding compute and storage stacks.
The Software-Defined Networking & Security Stack
The SDN and SDSec stack is built around policy-based automation, leveraging centralized management and control with distributed network and security functions, while abstracting and untethering the stack from the underlying physical hardware. Key attributes of software-defined networking and security include:
- ABSTRACTION. The network is abstracted as a set of network ports (and virtual NICs on the VM side). Security is abstracted as a set of port firewalls and end-point introspection. These abstractions are instantiated via virtual switches (vSwitch) and virtual firewalls (vShield) respectively and deployed in a scale out fashion on each host hypervisor. The network and security virtualization layer effectively untethers the VDC from the underlying physical network and firewall architecture, and provides a logical foundation to build the stack.
- POOLING. vSwitches are pooled into virtual distributed switches (VDS). Ports are pooled into port groups. Logical networks leverage these port groups and can be instantiated across the data center (VXLAN). Port firewalls are realized in vShield App or Edge. VM-based security is available via vShield Endpoint and endpoint security partner offerings. Because of the scale out nature of deployment, these pools are elastic and data center wide, and available on demand to be allocated to tenants or app owners.
- SERVICE INSERTION. The platform must be extensible to enable instant insertion of additional abstractions into the virtual plane e.g. encryption, intrusion detection & prevention, anti-virus, application delivery controllers, data leakage prevention, wan optimization control, monitoring tools, and other L4-7 services. The network and security virtualization layer provides a logical context for the instant insertion of such services.
- AUTOMATION. Just as VMs were the container for server virtualization, the Virtual Data Center (VDC) is the container for the SDDC. VDC deployments are completely automated via vCloud Director, and handle policy-based deployment of compute and storage, delegating networking and security deployments to the vCloud Networking & Security sub-system. A centralized command and control mechanism (vShield Manager) takes inventory of all the abstractions & pools, and is responsible for managing and mapping these pools into the needs of higher level entities like tenants or apps, and aligning with higher level virtual containers. Notions of multi-tenancy, isolation, elasticity, and programmability via RESTful interfaces are also handled here.
Software-Defined Networking & Security Lineup at VMworld
There are several noteworthy things happening at VMworld this week coming from VMware on the networking and security front:
- Today we launched the VMware vCloud Networking and Security Suite 5.1, which brings together new and updated versions of all the key components into a unified SDN & SDSec suite. It is being bundled into the vCloud Suite, making it easier for customers to seamlessly automate their networking & security needs as they build, operate and manage cloud infrastructure.
- VMware also made several key advances in various areas of the networking & security stack – including the VDS, VXLAN, vShield App, Edge and Endpoint, and vCloud Networking. All of these technologies are featured in sessions this week and demoed at the VMware booth.
- During today’s VMworld keynote, Steve Herrod demoed how the vCloud Suite paves the way for new datacenter SDN and SDSec architecture. Pre-eminent “Virtual Network Engineer” Serge Maskalik helped out on stage – effectively compressing weeks of intricate network and firewall engineering into a matter of minutes leveraging the power of the new architecture. This is the wave of the future!
- The VMware ReadyTM for Networking and Security Program also launched today. More than forty of our networking and security ecosystem partners will now be able to integrate their offering into the new architecture. This program and the vCloud Ecosystem Framework, allow our partners to further extend the SDDC – a big win for our partners and customers.
- If you’re in San Francisco this week, there are several deep dive sessions in the networking & security tracks you can attend to learn more about this topic. I plan to provide even more color in my SDN breakout session on Wednesday (INF-NET2313).
- Finally, it’s great to have Nicira join the VMware team at VMworld 2012! Nicira’s leadership in software-defined networking, adding network virtualization to other hypervisors and cloud management systems like OpenStack, and early wins in cloud scale datacenters makes for an exciting coming together of two awesome teams.
Network and Security Ecosystem
I spoke about abstraction, pooling, service insertion, and automation as the key building blocks for the SDN and SDSec stack. These will continue to be especially important as VMware continues to integrate additional partner offerings. Ideally these specialized functions are virtualized, distributed, scale out, multi-tenant and manageable by the respective element manager, for the most seamless integration into the stack.
SDNs (and SDDC) enable a new opportunity for the networking ecosystem – there is the need for a whole new class of networking hardware to realize fast, fat and flat, programmable, converged fabrics, where massive scale requirements will call for a new class of hardware and ASICs, especially at the spine/core. Also, programmability of such fabrics will unleash a whole new wave of network-aware applications and innovative deployments, and increase the opportunity rather than curtail it, much like we’ve seen with compute and storage.
VMware definitely couldn’t do all this alone! We value our partners and the joint work we’re doing together to address customer pain points. Many of our security and networking partners are at VMworld this week, showcasing their compelling solutions for the SDDC in breakout sessions, demos and more. On Tuesday I am hosting a SDN & SDSec partner breakout [INF-SEC3460]. I encourage you to attend to learn more about the tremendous work happening in the ecosystem.
As you can see, there is a lot going on in the space! VMware is serious about software-defined networking and security, and helping our customers enable automation of the data center, including interconnecting heterogeneous pools on compute and storage. I’d like to thank the VMware networking and security teams who have worked hard to showcase all of this at VMworld in the keynotes, breakout sessions and deep dives in the network and security track and the hands-on labs.
I look forward to meeting some of you at VMworld, and hearing your thoughts and ideas about networking and security!