To paraphrase Scott Shenker, networking today should not be about managing complexity, but about extracting simplicity. When you look at what it takes to manage and maintain the networking infrastructure today, it is all about managing the complex beast that this infrastructure has become.
Gone are the days of simple switches and a router to the Internet in a closet. This is what is found in most of our homes today. Most practical networks involve a hierarchy of switching and routing in an attempt to contain and manage the data that is flowing through them.
This architecture results in a complex environment that assumes static placement of nodes by location, and punishes mobility with delays, as the cost and impact of reconfigurations is figured out. In this kind of environment mobility involves touching many components at different layers of the infrastructure. The end result is that a lot of resources are expended in an attempt to manage this complexity. What if there was a different way?
One approach, and I will not go as far as to state it is the best approach, is to start looking at the problem from the point of view of the workloads and application that are using the network. When you take this point of view you simplify the problem to figuring out what the connectivity and security requirements are for the workload, and not what it takes to move and secure the workloads data through the network. This turns out to be a point problem (not the math point problem but a point in space), as opposed to a distributed problem for the network. This approach has been taken today by securing the physical port that the workload is attached to using ACLs and IP based firewall rules, but again this misses the point when the workload is mobile, like in cloud deployments.
The goal of network virtualization is to break this coupling of workload to the physical network. In the process associate the network attributes to the workload, which will afford us workload mobility while maintaining the security and network identity of said workload. In order to do this we need to move the network management of the workload closer to the workload itself. We accomplish this by moving the intelligence from the core of the network to its edges where the workloads interact with the network. We can then turn the core of the network into an efficient transport network targeted at delivering packets efficiently. If we then add an out of band control plane to this edge to manage the flow of packets from endpoint to endpoint we have in essence virtualized the physical network.
Figure 2: Converting the core into a transport network by moving intelligence to the edge
Once the core has been optimized for packet delivery we can start building overlay virtual networks that are as simple or as complex as we need to accommodate the workloads that run on them. The way we accomplish this is by creating overlay networks that are managed in the virtual space. These overlay networks are carried over the transport network using point to point tunnels that do not require reconfiguration of the core network. This gives us the flexibility to place virtual machines anywhere in the datacenter, as we are no longer tied to the structure of underlying physical network.
Figure 3: Overlay networks achieved using Open vSwitch and tunneled traffic through the core
These overlay networks can be as simple as isolated layer two networks to interconnected networks to support multi-tired workloads. We can now build complex overlay network architectures as needed with stateful firewalls that do interesting things like:
- Protect virtual machines from each other without requiring the use of PVLANs
- Protect a tier of workloads from the rest of the network
- Isolate virtual machines from each other while still providing unfettered access from the rest of the network
Figure 4: Multi-tiered workloads with Layer3 gateways and security at different levels.
Once we have moved the intelligence of the network from the core and distributed along the edge of the network, we now have great flexibility in how we can place and secure the virtual machines. The major benefit we get out of network virtualization is that now the network policies of a virual machine running the workload are tied to the virtual machine’s virtual network port and not the physical devices that the virtual machines data traverses. This makes it possible to move the virtual machine around the physical network, retain its identity, and all without making any modifications to the physical network. When we need to make changes to the network policy of a single workload we no longer have to modify multiple physical devices and in the process inadvertently affect other unrelated workloads. We can simply modify the workloads in questions. If there is an operator error associated with the change it will only affect the one workload and nothing else.
This should just give you an idea of the power of Network Virtualization and the freedom it buys you as a provider or networking services.