Can network appliances be virtualized and still provide high performance at high speeds? That was one of the key questions left open at the end of the previous installment in my series of blogs, when we took a closer look at network appliances and how they can be used to provide real-time insight for management and security of SDN/NFV networks. (See Managing SDN & NFV With Real-Time Insight.)
In many ways, network appliances lend themselves very well to virtualization. They are already based on standard server hardware with applications that are designed to run on x86 CPU architectures. The issue is performance.
Even for physical network appliances, performance at high speed is an issue. That is why most high-performance appliances use analysis acceleration hardware. While analysis acceleration hardware does free up CPU cycles for more analysis processing, most network appliances still use all the CPU processing power available to perform their tasks.
From a virtualization point of view, this means that virtualization of appliances can only be performed to a certain extent. If the data rate and the amount of data to be processed is low, then a virtual appliance can be used (even on the same server as the clients being monitored).
However, once the data rate and volume increase, the CPU processing requirements for the virtual appliance increases. At first, this will mean that the virtual appliance will need exclusive access to all the CPU resources available. But, even then, it will run into some of the same performance issues as physical network appliances using standard NIC interfaces with regard to packet loss, precise time-stamping capabilities and efficient load balancing across the multiple CPU cores available.
The fact of the matter is that virtualization of appliances cannot escape the constraints that network appliances face in the physical world. These same constraints will be an issue in the virtualized world and must be dealt with accordingly.
One way of addressing this issue is to consider the use of physical appliances to monitor and secure virtual networks. Virtualization-aware network appliances can be "service-chained" with virtual clients as part of the service definition. It requires that the network appliance can identify virtual networks, which is typically done using VLAN encapsulation today, a method already broadly supported by high-performance appliances and analysis acceleration hardware. This enables the appliance to provide its analysis functionality in relation to the specific VLAN and virtual network.
This can be a very useful solution in a practical phased approach to SDN and NFV migration. It is broadly accepted that there are certain high-performance functions in the network that will be difficult to virtualize currently without taking a considerable performance hit. Pragmatic solutions are therefore advocating an SDN and NFV management and orchestration approach that takes account of physical and virtual network elements. This means that policy and configuration do not have to concern themselves with whether the resource is virtualized or not, but can use the same mechanisms to "service-chain" the elements as required.
We should therefore expect that the introduction of SDN and NFV will require a mixture of existing and new solutions for management and security under a common framework with common interfaces and topology mechanisms. With this in place, functions can be virtualized when and where it makes sense without affecting the overall framework or processes.
— Dan Joe Barry, VP of Positioning and Chief Evangelist, Napatech