Virtualization is reaching every corner of the enterprise network, and the racks of network services appliances are no exception. Vendors of security gateways, IP address management (IPAM) and application delivery controllers (ADC) are all offering virtual appliances—software versions of their products that enterprises can deploy as virtual machines. Virtual appliances allow engineers to reduce the physical footprint of network services hardware, and these appliances also offer agility and flexibility in how and where network services are deployed.
The most obvious home for these virtual appliances is the data center, where enterprises have pools of virtualized servers hosting hundreds and thousands of virtual machines. However, in some cases, network services virtual appliances may benefit from being deployed on specialized computing resources. Some networking vendors are adding support for running virtual appliances within networking devices such as switches. Others are offering specialized hardware designed to support multiple virtual appliances and services on a single device.
Where to deploy virtual appliances?
Every deployment scenario is unique, so there is no superior method of deploying virtual appliances within your enterprise infrastructure. Some network services—such as a network sniffer—might benefit from living on a switch, where they can easily tap into traffic. Meanwhile, an ADC might perform better if it can live on the same host server as the application it is accelerating and travel with it when it migrates.
Virtual appliances offer engineers flexibility in how they deliver network services. While it is possible, for example, to deploy a virtual firewall as a virtual machine within a server rack in the data center, many organizations may want to have physical separation between a virtual firewall appliance and the general server racks in the data center. Engineers in this situation would deploy dedicated hardware for virtual security services at the network edge, rather than letting external traffic to travel into the server rack before it is inspected.
Also, many network teams will want direct control over the hardware that hosts their network services virtual appliances, rather than hosting them in a data center's general VMware environment. Ultimately, decisions regarding virtual appliance deployment will be tied more to the policies and personnel of an enterprise than to any technology challenges.
Examples of specialized hardware for virtual appliances
Force10 Networks’ new S7000 top-of-rack switch ships with expansion slots that can host up to four "appliance modules" with processing and memory resources capable of running virtual appliances directly on the switch. Force10 is working with partners to develop virtual appliances specifically designed to run on these appliance modules with tight integration into FTOS, the operating system that powers all of Force10's switches and routers. These appliance modules feature their own 64-bit processors, local memory and storage. Force10 suggests that customers host firewalls, packet sniffers and load balancers on these switches.
Cisco's Nexus 1010 Virtual Services Appliance was first introduced as a host for the Virtual Supervisor Module (VSM) of Cisco's Nexus 1000v virtual switch. Each VSM functions as a supervisor module for multiple Nexus 1000v Virtual Ethernet Modules (VEMs), which reside on VMware host servers. The Nexus 1010 is also capable of supporting multiple network services concurrently with the Nexus 1000v VSM. Cisco offers a virtual version of its Network Analysis Module for the Nexus 1010, and its forthcoming Virtual Security Gateway (VSG) will also run on the box.
Application delivery controller vendors such as F5 Networks, Citrix and Radware offer virtual appliances designed to operate alongside enterprise applications in a virtual environment. Radware has introduced the ADC-VX platform, which is hardware specifically designed to host virtual appliances. This dedicated hardware supports multiple virtual ADCs that can be spun up or down as needed. Each ADC operates independently of each other to support multi-tenant application delivery and isolation with the physical performance specifications that customers expect from a traditional hardware appliance.