Making the case for a virtualized hardware appliance

As Data Center infrastructures become more virtualized, the desire for virtualized network services increases. We see 2 types of offerings:

1. virtual appliances delivered in a VM image, such as the Netscaler VPX from Citrix
2. hardware appliances that can be virtualized, such as Cisco ACE or ASA

I want to share this devcentral article that reminds us why virtualized appliances are sub-optimal.

There are 3 key considerations:

1. Hardware-assisted functionality: short of installing dedicated ssl & compression PCI cards, commodity x86 hardware do not offer performance enhancements for SSL & compression operations.
2. Control over the network stack: most of the network operations within the hypervisor is software-processed. When deploying a virtual appliance that is designed to handle & process network-based operations, who knows how much overhead the hypervisor will impose on the host cpu & memory resources. (Although this can change as network adapters become virtualization-capable, ie. Apollo card in UCS)
3. Hardware stability: what’s the typical uptime of dedicated hardware pair versus general purpose x86 hardware w/ multiple VMs running on it?

Net-Net?

There are advantages in virtualized appliances. Particularly the ability to quickly deploy a virtual slb image in an environment. However, as an environment grows, the trigger happy virtual slb admins may find themselves in a virtual-appliance-sprawl situation due to the need to a) support disparate applications or b) compute overhead & lack of hardware-assisted capabilities in x86 hardware. At that point consolidation of virtual appliances will be necessary (and probably even painful).

Recommendation?

Architect Cisco ACE into all virtualized environment. It provides all the flexibility & control that customers desire and expect from a virtual device (or a virtual context, in our case). Plus it has all the goodies that a dedicated network device offers: hardware-assist, optimized network stack, stability. This is a day-1 readiness that all virtualized data centers cannot do without.

Update 2009-11-01:

Here’s an article on the Delaware Department of Technology and Information using ACE