Network Virtual Appliances Are Silly

-->

Network Virtual Appliances Are Silly

In recent years the possibility of supporting complex network functionality in the form of a “virtual appliance” has become reality. The idea is to create software versions of traditionally “hardware-based” platforms, such as firewalls and load balancers (and their offspring Application Delivery Controllers), running as a VM atop whatever hypervisor. I can see the appeal. However, I’m convinced that the virtual appliance approach doesn’t work in the long-run.

For many of these appliances the conversion from hardware to virtual appliance isn’t hard; it’s not uncommon for network appliances to be based on off-the-shelf hardware with customized faceplates, so converting the software to a VM is straight-forward enough. But therein is exposed a fundamental problem: in large part these off-the-shelf platforms don’t scale well. Vendors have been able to take advantage of the latest off-the-shelf hardware for their appliances, which can perform at multi-gigabit speeds, because many enterprise applications don’t require anything near that capacity. But any application that requires scale beyond the IO capacity a single server will be disappointed by a virtual appliance.

To illustrate the point, imagine a virtual appliance running as a VM capable of forwarding 1G of traffic but attempting to support a dozen VM servers each capable of generating the same 1G of traffic. A dedicated, and possibly hardware-based, approach is obviously a better performing alternative. Now imagine a Cloud service provider’s environment, where the datacenter traffic is the sum of all these applications densely packed into compute clusters. Clearly a multi-tenant network appliance must be hardware-based to meet the aggregated demand.

Even if that demand is to be divided amongst many virtual appliances (i.e. a multi-instance approach rather than multi-tenant) we have a problem: topology. Most often the network service needs to be in-line with traffic flows to work effectively. For instance a firewall needs to see and control traffic flows, which is traditionally accomplished by being embedded within a network gateway. For the most part, network topology is defined by the Cloud service provider and the customer has no control of it. And even if the customer could control or manipulate topology, it is horribly inefficient to bounce traffic around inside the cloud on its way in or out, hurting performance. This “amplification” of traffic is often inevitable inside a datacenter, but can be optimized by placing network services closer to the core switches and/or backbone routers.

In other words, network services are best provided by the provider of the underlying infrastructure. Networks built to support these features will work better than trying to hack-together a service layer on top of an unintelligent Cloud network.

At least, this is true for now. Look for my next post, which will discuss the future of network services around hypervisor- and network-embedded capabilities.

This entry was posted on Wednesday, June 9th, 2010 at 17:19 and is filed under Cloud, Datacenters, Network Architecture, Virtualization. You can follow any responses to this entry through the RSS 2.0 feed.

http://topsy.com/www.queuefull.net/~bensons/2010/06/09/network-virtual-appliances-are-silly/?utm_source=pingback&utm_campaign=L2 Tweets that mention Network Virtual Appliances Are Silly « Benson Schliesser — Topsy.com

[...] This post was mentioned on Twitter by Benson Schliesser, Rob Powell. Rob Powell said: Network Virtual Appliances Are Silly « Benson Schliesser http://icio.us/k3glmp [...]
http://twitter.com/spifbv spif Ω≈

I think these software appliances have their uses, but certainly the use case you discuss is not appropriate. At least that's true with the current generation of hypervisors and underlying hardware. I think both are maturing in ways that will eventually give us far more scalable and flexible virtualization.

Essentially the typical multi-tenant network appliance that is “hardware-based” is just running a specialized form of virtualization on specialized hardware. It may be that the specialized model will continue to be at the leading edge in terms of scalability, but I think we will start to see the gap close. Eventually the advantages of a general-purpose (or at least multi-function) platform may begin to outweigh the disadvantage posed by the remaining gap.
http://twitter.com/spifbv spif Ω≈

BTW, I guess this means Nexus 1000V is #fail?
http://etherealmind.com Etherealmind

The Nexus 1000V isn't an appliance so isn't a valid comparison.. It's more like an attempt to upgrade the networking capabilities of the vSwitch and give networking some operational capability.