Enterprises that use VMware vCloud Air and want to deliver IT services through a hybrid cloud face challenges with integrating networking domains. Layer 2 networking and security domain compatibility issues top the list of obstacles. But by linking its NSX networking virtualization platform with Amazon Web Services, VMware aims to help enterprises overcome these hybrid cloud networking challenges.
VMware's NSX is a virtual networking and security utility that allows administrators to control the network with an overlay, facilitating the development of virtual networks and switches with software. Because networking between public cloud and on-premises environments is a major sticking point for deploying hybrid clouds, creating a way to run NSX in Amazon Web Services (AWS) could create a link to hybrid clouds in the near future. Let's take a look at the issues involved with hybrid cloud networking.
Incompatible networking protocols
With the exception of VMware vCloud Air, every major public cloud provider's network connectivity is based on Layer 3 networking. What does that mean? In a traditional on-premises infrastructure, a database and application server could share the same Layer 2 network. There is no logical segmentation between the devices unless you run a tool like NSX. The two instances have unfiltered Layer 2 access to each other.
But move that same application to AWS and the developer or cloud engineer has to manage IP tables between the two hosts. This is because approaches to network and network security are different. AWS doesn't provide Layer 2 broadcast domains between instances. The design allows for more granular security, while providing AWS flexibility for its infrastructure design and management.
If you were to vMotion or move a database and application service to vCloud Air, the workload would run unmodified. Problems arise when you try to move workloads from on-premises networks to public clouds like AWS. Either the application developer or the infrastructure team would need to modify the IP tables for the instances to allow the database and application to communicate. This example also highlights a company's inability to place applications that use Layer 2 protocols, such as multicasting, in AWS.
Differences among public cloud provider security domains
In addition to Layer 2 networking issues, each cloud provider has different security domains. Enterprises with an existing investment in a security platform will have difficulty integrating a cloud provider's security.
For example, an organization might have spent years developing a namespace for its distributed firewall installation. With an object-based approach, it can distribute a security policy across sites and firewall devices. With all security devices sharing the same object database, IT teams can centralize security administration and even automate it using a cloud management platform such as OpenStack.
However, this object relationship can break at the public cloud provider level. If the firewall vendor doesn't provide integration with the selected cloud provider, then a new security domain is introduced. Security administrators have one set of objects and taxonomy for on-premises resources and another set for public cloud resources. Managing security in hybrid cloud then creates huge overhead.
Finding a balance: NSX in AWS
At VMworld 2015, VMware previewed the ability to run NSX in AWS. To do this, VMware runs micro instances of NSX on each AWS EC2 instance. With NSX instances on each AWS EC2 instance, the NSX network overlay extends to AWS. Think of this as a virtual Lego set for cloud networking. NSX in AWS gives network and security administrators flexibility beyond native public cloud networking.
Within AWS, a network engineer could design a complex corporate network that mimics the physical network. For example, a company creating a multidomain application could use NSX to create a Layer 2 network that supports multicast that connects to a virtual router. The router would then provide VPN connectivity to on-premises applications.
NSX in AWS could solve the security challenge as well. Because AWS becomes an extension of the logical network, NSX firewall rules would apply to AWS instances without modification. In theory, an AWS instance could host a virtual firewall from another vendor and be just another enforcement point.
VMware was noncommittal on the release date of NSX for AWS. This may be something that never sees the light of day beyond the tech preview. However, networking between public cloud and on-premises networks is one of the most difficult pieces of the hybrid cloud puzzle. VMware may want to keep the integration between vCloud Air and NSX as a selling point for vCloud Air.
VMware vCloud Air pushes on in hybrid cloud market
vCloud Air users gain access to Google cloud services
How SDN can streamline hybrid cloud networking