The Virtual Data Center

Ah…back in the Northwest from yet another trip to the desert last week. Unlike Death Valley after VMworld, this trip was a week in Palm Spring for an internal conference. Don’t get me wrong, I like the desert, like it a lot in fact, but I’m good for a while. I need my barely above freezing temps, wind, and rain for a while to get the system back on track. “I feel right, Brian; I feel right.”

To the title, obviously virtualization is well beyond the 1 year mark. One year ago at the same conference I just returned from, I unveiled the 8 Types of Virtualization concept and treating the data center as a service. I wouldn’t say it was received poorly, but I would say it was a new and foreign concept and took a while for attendees to wrap their heads around the ideas. Even at MMS earlier this year my VDC Service concept presentation resulted in a very long Q&A session. At the time I created that idea (earlier in the Summer of ‘07) most everyone was talking about virtualization in the scope of VMware; everything else was just part of that solution. Storage virtualization? Sure, plug a LUN into ESX. Application virtualization? Yep, running a 2003 VM with terminal services. Network virtualization? Of course, VMware supports VLANs.

Fast forward one year and wow, what a difference a year makes. Rather than delivering ideas at the conference, this year I played more of a consumer and adviser role. I had people walking up to me all week and asking questions about the difference between SaaS and apps in the cloud, about virtual network and storage consolidation with FCoE, about provisioning services with VMware’s VirtualCente, about VI4’s plans to implement direct hardware access, about the state of virtual switching, etc. I could go on for pages on the sidewalk & pool conversations I had about deep “Meaning of Virtualization” conversations. Leaps and bounds from this same time last year.

So why the change? I think it’s a few reasons:

1. Customers and Media: Virtualization is still all the rage in all things IT this year, which is driving customers to implement. That, in turn, drives us to become trusted advisers for all things virtual. Works for me.
2. The Cloud: Is it mostly hype right now? I would say yes. But like #1, there’s a huge buzz around it so people are asking. And since data center virtualization is a prerequisite to implementing any type of cloud-based services, customers are starting to implement there as well. I love it: Baby Steps.
3. Implementation: All of these ideas can be implemented today, relatively easily. Even though I think the popular representation of the cloud is still hype, you can plug your ESX infrastructure into Amazon’s E3 cloud storage service today. These things can be touched in the data center today; they’re not just Powerpoint ideas on a screen.

And here’s the real test in my mind - During the conference I led two Birds of a Feather sessions on virtualization; one on the future and one on reality today. While planning for my BoaF sessions, I’d forgotten to send out a prerequisite list. I was planning on sending out a few diagrams, a definition list, the basics of VirtualCenter provisioning, etc, to make sure everyone was on the same page. Turns out there was no need. Everyone who attended (and both were “sold out”) was ready to go and needed no background at all. After a year, the 8 Types have become ingrained and everyone was talking services instead of individual technologies. And there was some excellent debate on the status of the cloud, future or reality.

Overall, I am extremely happy with how far we’ve come in the virtual data center space in just one year. It’s truly amazing. You won’t find me this blissfully happy very often, so enjoy this wave while it lasts.

PS: The best conversation I had all week was a 2+hour “discussion” with a few co-workers on the future of application virtualization. That’s the best part about conference: arguing in person with your friends.

I finally got around to reading the excellent post over on the Windows Virtualization Team Blog by Doug de Werd, Technical Marketing Manager (great title, btw ) for Windows Virtualization at HP. There’s not really much to even say about this post; Doug nailed it. It’s one of the only times I’ve read someone so aptly address the role of virtual platforms in the data center:

1. Virtualization is a means to an end, it’s not an end itself. There’s no reason to deploy ESX or Hyper-V unless you’re trying to solve a problem, just like there’s no reason to build a data center in the first place unless you have applications that need to get out over some wire.
2. The way we enable the virtual means is through management. These platforms don’t manage themselves; they need to be part of the entire VDC and managed together.

And it’s still so strange to me to see a sentence like:

Microsoft and HP are also working closely with Citrix in the area of Virtual Desktop Infrastructure.

Or this one:

The VDI stack incorporates Microsoft components such as Vista and Microsoft Desktop Optimization Pack, along with Citrix XenDesktop, all running on Hyper-V and managed by System Center.

MS and Citrix working closely on VDI? XenDesktop running on Hyper-V? Hmmm…interesting, puzzling, hopeful, strange…all words that come to mind. But hey, it’s a solution, or at least the start of one, so I’ll stick with ‘optimistic.’

Anyway, that’s about it. Read Doug’s post and then start looking at Insight or another management platform for your new virtualization roll-out. Even if you look at it and decide it’s not for you, well at least you’ve started looking.

Craig over at Cloud Security posted a response yesterday to Richard Stallman’s comments on privacy issues with cloud computing. Thanks to Craig for posting a retort to this piece; I hadn’t seen it before. Both posts have some really interesting comments and ideas, and both are both correct and incorrect (opinions and ideas are, of course, subject to right and wrong just like facts, right? ).

First, let’s start with Stallman. The guy’s straight up a genius, but people should take everything he says with a grain of salt. I mean he’s “out there” smart, and likewise “out there” with most everything he says. I’m not doggin’ on the guy, but you can’t take Stallman at face value; you need to accept what he says as passionate ideas and then consume at your own level. For example:

But Richard Stallman, founder of the Free Software Foundation and creator of the computer operating system GNU, said that cloud computing was simply a trap aimed at forcing more people to buy into locked, proprietary systems that would cost them more and more over time.

“It’s stupidity. It’s worse than stupidity: it’s a marketing hype campaign,” he told The Guardian.

Cloud computing is a stupid trap? That’s a stretch. I’m all hunky dory when it comes to conspiracy theories, but to call it a contrived ploy to trap enterprises into a proprietary system is a huge stretch. In fact, one of the nice things about general Cloud Computing, especially for IaaS providers, is the ability to compete on a level playing field and NOT keep customers trapped in proprietary systems. In theory, it should take me no longer to migrate my storage from Amazon to Google than it would to migrate it from NetApp to a linux-based SMB solution. Stallman’s out there on that one, however he does also bring up some excellent points about control:

“One reason you should not use web applications to do your computing is that you lose control,”

That is a very real and true comment, and one that should be thought about more directly when someone is considering implementing any cloud-based service. Amazon’s recent S3 outages are excellent examples of one business completely crippling many other businesses. It’s an interesting and relatively new business model to say the least, and one that has to be factored into things like ROI calculations before the move is made.

Now let’s look at Craig’s ideas. Likewise, he brings up some excellent points on the cost of privacy:

My view is that privacy is not ‘free’. It comes at a cost. Whether you run your own systems or rely on someone else to do it, there is a cost.

Amen, brother! Like everything in life, moving to the cloud is a trade-off and comes with sacrifices. At the end of the day it’s up to each enterprise to determine what’s more important and what’s more valuable. Does it save us money and is it worth the risk to move some services into the Cloud? Yes and no, depending on every unique situation and every unique enterprise. It’s not a “one size fits all” model, which is why it’s so extremely successful and why we’re all buzzing about it today. Craig is spot-on with his comments about ultimate cost.

But it does frustrate me that both of these guys — and they’re not alone by far — use consumer-based services as examples of Cloud Computing. Gmail and Flickr are not good examples to debate privacy and control issues because there’s no indemnity for us consumers. When there is a XSS exploit against Gmail that allows someone to steal my cookie, I don’t get anything as compensation from Google. I’m using their service for free, so I give up my extended right to complete and utter privacy by giving up some level of control. Same with Flickr; if I post my personal pics on their site for free, well then I get what I pay for. I routinely get frustrated when the line between Cloud Computing and plain ol’ websites for people is blurred. To me, Cloud Computing is a back-end technology, just like Data Centers.

Enterprises should absolutely consider the implications of privacy and control for their Cloud services, because the Cloud SPs do hold indemnity for enterprise customers. If there’s a breach against Salesforce.com and Company A steals all the pipeline leads from Company B, you better believe SalesForce is on the hook for that.

And that’s the difference. So let’s keep debating these cloud issues all day; they’re critically important issues to discuss. But let’s keep our debates focused on Apples or Oranges, because consumers don’t use the Cloud.

As was reported by virtualization.info, VMware announced it’s acquisition today of Blue Lane. Blue Lane has some cool stuff that falls into two categories: Virtual Machine security (VirtualShield) and server security & patch management (ServerShield), virtual or physical. There’s been a good bit of chatter today on how this acquisition is going to play with VMsafe, and I think there’s definitely some obvious overlap between what Blue Lane is doing with VirtualShield and what VMware wants people to do with VMsafe. I actually assumed that this was the path Blue Lane was headed down; they already support inter-VM network traffic protection, but they don’t currently do it on the hypervisor level. It was the next obvious step to port VirtualSafe directly to ESX with VMsafe.

However, I’m more intrigued by this purchase from the in-line server patching stuff with ServerShield. ServerShield is basically an application proxy that sits in front of an app server and inspects all traffic destined for a particular application running on a particular host. From what I understand, though, it doesn’t inspect that traffic in the same way an I[D|P]S does; it doesn’t use signatures looking for attack patterns, it’s looking for patterns that match exploits that have been remedied with application and/or server OS patches. It’s like the flip-side of the coin: IPS looks for the attack in the payload, ServerShield looks for a way to attack that’s been identified by a patch that’s already been released. So they take a new patch, ask “What does this patch do and what does it change?” and they look for pattern data in the application flow that matches that delta behavior. At least that’s my understanding from talking to them about a year ago.

So this has some really cool possibilities for VMsafe and using the virtual network to protect against both app and OS exploits, but it also sounds really cool for VMware’s VDDK (announced earlier this year). Just off the top of my head I can see the ServerShield management component in the VirtualCenter GUI, ServerShield itself inspecting all traffic on the virtual switch at the hypervisor level, and then throwing an event when it detects a payload that’s targeted at a known exploit destined for a VM. It:

1. Corrects that traffic so it’s no longer a threat
2. Throws an event to VC that there are machines that would have handled that traffic that aren’t patched correctly
3. VC starts pulling machines out of clusters, mounts the VMDKs with VDDK, patches are applied off-line by SecureShield
4. Freshly patched VM is powered back up, returned to the cluster, and on to the next one until that particular problem is corrected across the board. VC could then keep a real-time patch level list of every VM, and as new traffic came through, it could tell SecureShield “Hey, these guys are current, so you can opt out of inspecting if you wish.” Yes, I know security heads are exploding all over the place, but I’m just talking technical ability rather than how a security policy should be managed, etc.

It’s like a mash-up of dynamic provisioning, dynamic security, and dynamic patching for both the OS and app. Gets me all tingly!

I’m back from VMworld, later than most. I took a detour out of Vegas and avoided McCarran (one of my least favorite airports) by driving back to the great Northwest through Death Valley, Yosemite, Oregon Coast. Sure, it took 4 days, but going from smoke-filled Vegas to hot, then cold, fresh air is so much better than just jumping on another airplane.

VMworld was an excellent show; much better than I’d expected. Most of it has been well covered by the likes of Hoff and Chris Wolf. Hoff has a few excellent posts that summarize the Cisco and VMware partnership and announced products. I don’t necessarily share some of his concerns or some of his plaudits, but it’s important to have differing opinions. Makes the world turn and all that, right? But I do have to very strong opinions on Cisco’s integration with VMware’s software switch:

1. The Good: Although its first incarnation (VN-Link) is more of a shim solution using VMsafe, I think Cisco building any switch functionality on/in ESX is an excellent move. We all know that the current vSwitch just ain’t up to par. VMware admits it’s nothing more than a L2 device, meant to move packets from the pysical interface to one of many virtual interfaces. Basically one big software CAM table and that’s about it. While VMsafe was launched with mostly security companies and the idea was to pass packets off to a guest VM for payload inspection, Cisco is headed in the correct direction in realizing that a packet has much more to offer in life beyond a malicious payload.
2. The Possibly Great, Possibly Not: If Cisco takes this idea beyond the [fast|slow]path implementation of the Nexus 1000v and starts looking to VMware’s VI4 release and what they’ve dubbed the vNetwork/DVN API, then we could be seeing a complete on-board Cisco vSwitch in VI4. Now that’s some cool stuff, especially if we start thinking about how a DVN vSwitch could impact moving services into the Cloud. Cisco knows how to manage L2-L4 (that’s about it; they blow when it gets to L7), but they know how to do it in hardware. The question right now is which direction will they go post VN-Link? Will they embrace the software side and go for a full vSwitch replacement? Or will they move more towards “let’s move the packets off of ESX and route everything to an off-box appliance”? I hope it’s the former. If they go the latter, what’s the point? Do your packet/session inspection _before_ you send it to ESX in the first place and you don’t need to pass it off-box. It’s redundant.
3. The Terrible: I’ve made no secret of my disdain for Cisco’s idea of converged networking. I think it’s just way too much to try to cram and manage every possible data center networking device and protocol in one box. At some point there are just too many clowns in the car and it becomes un-drivable. The Nexus series is well on its way to becoming the DC Jack of All Trades and Master of None. It’s taking us back to the days when we all had a generic *nix box at our perimeter that did routing, NAT’ing, IDS’ing, VPN’ing, etc. We’re to a point now in the DC where the tools we use are becoming extremely complicated, and to a certain degree, should be managed individually and independently so they provide the best service possible. Now if/when Cisco moves all of these protocols into a single vSwitch on/in the hypervisor (or even multiple distributed vSwitches across hypervisors) then they’re going to be further cramming resources into one giant cesspool.

So my recommendation to Cisco would be: Stick with what you do really well, L2-L4 IP networking, and let the people that do storage networking well do storage networking. By all means extend that L2-L4 knowledge and expertise into the virtual platform arena by working with VMware on building a usable and robust vSwitch, but stop there. We need a virtual data center platform that includes an enterprise-class virtual switch. But on storage…there’s already going to be a push towards storage VM appliances in the next few years; let them fail on their own without you mudding up the waters by trying to manage the storage network underneath that.

Oh yeah, I don’t like storage VMs either. Talk about redundancy…don’t get me started, at least not in this post. Maybe some other time, assuming I don’t throw in the towel and head back to the desert any time soon.