“When Nutanix has gone down stack to try to build their own hypervisor, across stack to build their own networking, and now going upstack to compete against Horizon—we view it as sort of a copycat, wannabe VMware move”
– VMware COO, Sanjay Poonen CRN
My last post responded to the VMware COO’s taunt that Nutanix is a VMware virtualization copycat. In this one, I address his similar claim about networking. While there is nothing wrong with enhancing customer delight by incorporating aspects of other compelling technologies, I do strongly object to the implication Nutanix would copy VMware’s long-in-the-tooth architecture. If Nutanix takes cues from anyone, it is the leading cloud providers.
THE EVOLUTION OF NETWORK VIRTUALIZATION
Several years ago, before the advent of API-programmable network switches, physical networks did not adapt to application needs. A request for application deployment could require days, or sometimes weeks, to provision the necessary network switches and routers. Physical networking, as with physical servers and physical storage, was an IT bottleneck, and virtual alternatives emerged to resolve it.
When VMware virtualized the data center, it dramatically consolidated the number of servers and the associated cabling. Nutanix’s HCI revolution then slashed the need for SANs, NAS, HBCs, storage network switches, and associated cabling. Virtual networks typically reduce the need for some hardware, but regardless of how you implement them, still require the underlying top-of-rack switches, core switches and physical cabling.
Network virtualization has gone through three primary stages: Virtual switches, network overlays, and microsegmentation.
1) Virtual Switches
VMware introduced the first virtual switch which connects the VMs to each other and to the physical network fabric. Cisco 1000v/AVS, VMware VDS (Virtual Distributed Switch) and Open vSwitch (OVS) are the three most commonly used virtual switches today. OVS is an open source virtual switch that does not require a native SDN (software-defined networking) controller as in the case of the 1000v, or vCenter manager in the case of VMware VDS. It also enjoys widespread community support.
2) Network Overlay
A network overlay is an abstract representation of the entire physical network into a virtual layer. Overlays at the hypervisor layer, such as NSX, are often called a Virtual Network Overlay or just Virtual Network. The virtual overlay network partitions the physical infrastructure using encapsulation such as VXLAN or Geneve. It incorporates network functions such as L2, L3, and firewalls, enabling individual application topologies to run on top of it.
Overlays are also built at the physical layer such as Cisco ACI using physical hardware switches and an external controller (Cisco APIC). Whether at the hypervisor or physical layer, network overlays provide both programmability and agility. But even after years of innovation, they remain complex to install, manage and operate.
Microsegmentation is, from a very simplified perspective, analogous to a gated community. Once you drive through the main gate, traditional security lets you break into every house. Microsegmentation installs the equivalent of a lock on every door of every house.
Rather than apply security rules on a physical device used as a gateway elsewhere in the network, microsegmentation applies them at the vNIC level. Bringing security as close as possible to the VM provides the best detection and prevention of attacks while reducing the attack surface down to a flow. It also eliminates performance hits from sending traffic across the network to a physical firewall.
VMWARE NSX – BORN IN THE DUMB TRANSPORT ERA
In 2006, Nicira addressed the lack of programmability and agility in physical networks by building the foundation for software-defined networking. Nicira enabled programmable networks on top of hypervisors by replicating the physical network into software. In 2012, VMware acquired Nicira for $1.26B as the underpinning for its NSX network virtualization platform.
NSX solved the problem of dumb transport while adding security, automation and blueprints. NSX is one of VMware’s most successful products of all time with an annual run rate of $1.4B. Last August, VMware said that, “82 companies of the Fortune 100 have adopted NSX,” and that sales are up 40% Year over Year. Channel partners tell me that NSX is easy to sell.
VMware pitches NSX to the virtualization teams – telling them that it provides an opportunity to take over traditional networking tasks such as provisioning VLANs, routing, firewalls, load-balancing, and so on. Of course, this requires that the virtualization administrators learn networking. It can also lead to conflict with the networking administrators who tend to not like the virtualization folks impinging on their domain.
Also concerning is the complexity that NSX injects into the environment. NSX was built to replicate the network in software as an overlay, but the underlying physical network still needs managing as well. The NSX Installation Guide is 124 pages – and that doesn’t include the myriad 3rd party installation supplemental blog posts. And the VMware NSX troubleshooting guide is 247 pages.
Many organizations face additional hurdles just getting their environments ready to install NSX. To start, VMware requires upgrading VMware vSphere to the latest version. Then the right hardware must be installed, and maximum transmission unit (MTU) increased throughout the network to support encapsulation such as VXLAN or Geneve. This can require weeks of time along with tens of thousands of dollars in professional services. Larger organizations often need separate firewalls and network switches for DMZs, PCI, etc. – adding to the deployment complexity.
To be fair, microsegmentation is the top NSX use case, and organizations could install just this NSX component. It would be much less complex and not require overlay technology, though it still would require purchasing all the NSX overhead. It would also likely prompt pushback from the VMware sales teams to enable the full NSX product as this creates more VMware stickiness. Once an organization sets up an overlay network with controllers, edge, and encapsulation, it is less likely to consider a much simpler approach to meeting its actual security and automation requirements such as Nutanix Flow.
NUTANIX FLOW – BORN IN THE CLOUD ERA
Most enterprises do not care what network hardware is used or what firewall is deployed. As Nutanix built out its HCI solution into a comprehensive enterprise cloud platform, it focused on delivering the networking attributes that matter: Application uptime, security, visibility and automation. A network overlay is not an efficient means of providing these capabilities.
Fortunately, the emergence of easily programmable switches, for the most part, abolished the need for full-blown network virtualization. Programmable switches make the physical network more responsive to changing application needs. Today, most networking vendor products provide “smart underlays” that have programmable controls via an API. Four of them already integrate with Nutanix APIs and two more are targeted.
Nutanix Flow uses its VM awareness from AHV and event driven APIs to provide the physical network with the details required for VM networking orchestration. It also uses hypervisor-level microsegmentation via a distributed firewall built into the AHV Open vSwitch. Flow applies VM-level security based upon application policies, service insertion, and network automation. For example, when adding a new virtual network to Nutanix Prism, it is detected by the physical network and made instantly available across the switch fabric. When a VM migrates, both the physical and virtual networks are provisioned and security rules follow the VM.
As with all Nutanix offerings, simplicity is a guiding principle. Flow is native to the networking layer in AHV and managed through the same Nutanix Prism used for HCI and virtualization administration. There is no “installation”, just license the feature and enable. There is no upgrading of the environment to make it “Flow-ready.” On day zero, administrators can begin configuring policies.
Rather than managing a separate virtualized network with its own control and data plane, administrators simply focus on the applications that run the business. The networking teams are free to do what they do best – deliver connectivity. Best of breed networking works in conjunction with virtual environments without conflict or friction between networking and virtualization teams.
WHICH PLATFORM SHOULD A CUSTOMER PURCHASE?
As when evaluating most disruptive technologies, answering this question needs context. An analysis should start with business objectives and outcomes. The next step is to identify requirements in terms of security, virtual networking, visualization, automation, uptime, performance, simplicity, disaster recovery, and so on. Only at this point does it makes sense to evaluate which software-defined approach is more appropriate.
Why Should an Organization Purchase NSX?
- It doesn’t run Nutanix
- It runs Nutanix but not AHV
- It runs Horizon View as a large use case (VMware, unsurprisingly, doesn’t support Horizon on AHV)
- It does not want to work with programmable switches
- It is an all-in “VMware shop” with no desire to change
- 1-click type of operation
- Lifecycle management: Upgrade environment with a click vs. a paid engagement
- Lower licensing cost
- Lower operations cost
- Provides frictionless VM to VM security without building an overlay network
- Works with any existing network vendor and architecture – nothing extra to install
- It’s built into AHV and Prism Central
- No changes needed to the existing physical network
- Integrates with smart switches for stretched L2 networks
- Provides security for applications running in AHV
- Provides desktop isolation for XenDesktop on AHV
- Extends networking functions to 3rd parties (firewalls, APM, packet analysis, etc.)
NSX COPYCAT? MORE LIKE ANTITHESIS
NSX continues the paradigm of replicating the entire physical network ‒ dating back to the days when switches were dumb. While successful, NSX benefits from its pitch to VMware’s existing install base of over 600,000 customers. NSX is an easy add-on to an ELA.
In my opinion, no one would design a solution such as NSX today. It is built to solve technology problems from years ago by layering extensive network complexity on top of an already anachronistically complex virtualization environment.
In contrast, Nutanix built Flow to a cloud-like specification. As with public clouds, Flow hides the networking yet enhances security and connectivity by focusing on policies, categories, and automated interaction. Nutanix Flow is much simpler than overlay networks by design.
In the early days before the widespread adoption of SaaS, IT often needed up to three years to fully implement CRM applications. Salesforce changed the industry by making its CRM so simple that no one any longer cared about the speeds-and-feeds of features. Salesforce democratized CRM for everyone. Nutanix brings this same democratization to virtual networking with one-click simplicity.
Huge thanks to Jason Burns, Dan Angst, Shridhar Devarapalli, Rahul Tripathi, Jon Jones, Mike Wronski, Wayne Conrad and Paul Updike for concepts, content and editing.
Disclaimer: The views expressed in this blog are those of the author and not necessarily those of Nutanix, Inc. or any of its other employees or affiliates.
Flow Screenshots (Actual screenshots showing Nutanix Flow simplicity in action courtesy of @bbbburns). Google Docs.
VMware CEO Lists Top 3 Priorities for 2019: NSX, Cloud, and Containers. 12/05/2018. Jessica Lyons Hardcastle. SDXcentral.
Enable Nutanix Flow. 08/10/2018. Artur Krzywdzinski. vmwaremine.
Tech TopX: Datacenter Security with Flow. 05/31/2018. Jason Burns. YouTube.
What’s New in AHV Network Visualization – Part 2 (series). 2017. Jason Burns. Nutanix.Next.
What Cisco’s New Programmable Switches Mean for You. 06/27/2017. Brandon Butler. Network World.
‘In the Second Inning of a Nine-Inning Game: NSX Use Cases and the Networking Revolution. 08/16/2016. Radius Staff. vmware.com/radius.
The Road to SDN: An Intellectual History of Programmable Networks. 04/08/2014. Nick Feamster, Jennifer Rexford, Ellen Zegura. Princeton.eu.
Programmable Network (PN). May 2013. TechTarget.
vSphere Best Practices: Know What Powers Your Virtualized Network. October 2008. Rachel Shuster. ComputerWeekly.
Cisco’s First Software Switch – the Nexus 1000V. 09/21/2008. Michael Morris. NetworkWorld.
VI3 Networking Scenarios and Troubleshooting. Krishna Raja. VMworld 2006.