When I first started to hear about Network Virtualization maybe half a dozen years ago, I was a bit taken aback. After all, Virtual Private Networks (VPNs) had been around for decades, and I had spent a good part of the 1990s and 2000s working on the protocols to allow service providers (SPs) to build scalable VPNs. So I wondered how network virtualization was different from a VPN, and why was there all the sudden interest?
Eventually I realized that the main reason for the rise of interest in network virtualization was the success of server virtualization. Once computational capacity in the data center could be virtualized, it was probably inevitable that other aspects of the data center, such as storage and networking, would also need to be virtualized. Server virtualization conferred a slew of benefits – such as speed of provisioning new machines, migration of workloads, hardware independence – and the hope was that network virtualization could follow suit.
But didn't VPNs already virtualize the network? Well, only partially. VPNs provide isolation among customers or user groups, which is one aspect of network virtualization, but only a small subset of network virtualization as we see it in a modern, multi-tenant data center. Network virtualization goes beyond the simple isolation provided by a VPN in a couple of important ways. First, just as server virtualization presents a complete set of computing capabilities to the guest operating system, network virtualization needs to present a complete set of networking services to the applications using the network. For example, a full-featured virtualized network should allow you to configure access control lists, QoS policies, and a range of other features in the virtual network, not just limit who is connected to whom. Second, because server virtualization makes migration of computational workloads a common operation, virtualized networks need to be able to handle rapid and frequent mobility of endpoints. This means not just dealing with the movement of addresses, but also ensuring that the networking features provided by the virtualized network stay in sync with the VMs as they move.
Existing VPN technologies (and the plethora of tunneling techniques that have recently been proposed for network virtualization) really only virtualize the forwarding table. By contrast, Nicira's Network Virtualization Platform (NVP) was designed to support the full network virtualization requirements of a multi-tenant data center. It takes a different tack than traditional VPN technologies, using Software-Defined Networking (SDN) techniques to manage the large amount of state that results from virtualizing the full capabilities of the network and keeping the network configuration correct as VMs migrate within and between data centers.
This is not to say that VPNs are no longer needed - quite the reverse. Recently, we've been focusing our attention on how existing VPN services offered by carriers can leverage the capabilities of NVP and vice versa. Two observations we've made are:
-while VPNs are not the same as network virtualization, the architectural principles have a lot in common;
-if you can connect a virtualized data center network to a wide area VPN service, you can provide an end-to-end service that leverages the strengths of both.
In architectural terms, both VPNs and Network Virtualization rely on encapsulation (tunneling) across the core network, and push the intelligence and intensive processing to the edge. In the case of data center networks, the edge is typically the vswitch in the hypervisor, while the VPN edge is normally the PE (provider edge) router. Encapsulations also vary among the environments (MPLS normally for VPNs, something IP-based for the data center).
Where we see real opportunity is in connecting the virtualized networks of the data center to the VPN services of the WAN. Done right, this will allow VPN customers to access virtualized networks in SP-hosted, multi-tenant data centers seamlessly, just as if each VPN customer had his own private data center. The VPN customers will be able to bring up VMs, interconnect them in varied topologies, configure networking features, migrate workloads, and see all of this as an extension of his existing VPN. This is where we see the next great opportunity for service providers: they will leverage their existing VPN assets to offer fully virtualized networks as part of their cloud services, thus differentiating their offerings from those who can offer only part of the solution. The marriage of network virtualization in the data center with VPNs in the WAN is what will make this possible.
