Within both public and private cloud data centers, the number of Virtual Machines per server blade is increasing rapidly, leveraging on-going improvements in the performance of the x86 processors used on those blades. Today, a typical server blade in a service provider data center hosts at least 50 VMs, with that number expected to grow to hundreds within a few years.
Because of this growth in the number of VMs running on each server blade, the data center network needs to expand beyond its current limit at the Top-of-Rack, to a model where a virtual switch on each server blade is used to distribute the increasing volume of network traffic to virtualized applications. This function is typically implemented using the open-source Open vSwitch (OVS) or an equivalent proprietary virtual switch.
For multi-tenant data centers, high-bandwidth VM-to-VM communication (VM2VM) is mandatory. To isolate and secure VM2VM, however, requires extensive routing, firewalling and load balancing services that extend beyond the basic Layer 2 features provided by a typical virtual switch. Also, multi-tenant architectures require traffic engineering (ACL, tunneling, QoS etc.) to be performed at the server edge in order to provide users with individual, differentiated services.
Advanced security policies are necessary to secure both physical and virtual traffic. Within a cloud, these ensure that only certain VMs can access the applications and data owned by other VMs. Between clouds, policies are enforced to ensure that data and traffic for one cloud is not visible to another.
Adding to the overall security- and networking-related workload that must now be supported on server blades is the increasing trend towards the use of overlay network technologies which avoid the 4,094 tunnels limitation of traditional VLANs. Data centers are now adopting VXLAN and NVGRE protocols, with 16-bit IDs that allow for 16 million tunnels.
From the point of view of the data center operator, it is critical that the solutions they select to achieve the virtual switch enhancements described above are fully-compatible with emerging options for data center orchestration such as OpenStack and for Layer-2/-3 management such as OpenFlow. In addition, Carrier Grade reliability is mandatory for enterprise-class data centers.
At 6WIND, we recognized these security-driven virtual switch challenges and enhanced the 6WINDGate™ software, already widely deployed in network appliances, to deliver performance improvements and advanced networking features for virtual switches (details here). We’ll be discussing our solutions in our booth number 854 at RSA Conference, hope to see you there!