VMware NSX: Issues halting the transformation
Event: VMware’s fourth quarter 2015 earnings conference call; Date: January 26, 2016; Attendees: Pat Gelsinger, CEO; Carl Eschenbach, President and COO; and Jonathan Chadwick, CFO and COO. Pat Gelsinger expresses his contentment, “In this year, we were especially pleased with the growth across our portfolio of emerging products and businesses including NSX, end-user computing, and Virtual SAN.” He adds further, “In networking, we had a stellar year growing NSX over 100 percent year-on-year and bringing our total annual bookings run rate to well over $600 million.”
Cut to July 22nd, 2016: VMware advises users of its NSX network virtualization not to upgrade it to the version 6.2.3 released in early June. The question arises that what are the issues that are halting this technology transformation? Why did VMware advise users of its NSX network virtualization not to upgrade it to the version 6.2.3? Let’s find out!
From the year 2014 to 2015, NSX bookings tripled and their product NSX has 1,200 paying customers at present. Over the same period organizations using the software in production also increased fivefold. Although, these successes have much to say about VMware but its product faces plenty of challenges.
One of the criticisms of NSX is that it's too expensive. VMware is selling NSX in two ways. For a perpetual license, list pricing starts at $5,996 per CPU, and customers can also buy it under a term license starting at $34 per virtual machine per month. Some VMware partners are not confident that customers will be willing to shell out for NSX at its current price points. “Six thousand dollars per CPU is a lot when VMware is positioning this from a security standpoint. Many interested customers aren’t looking at the 'full stack' from NSX. They like the security aspects,” told a partner to CRN TV.
Sales pitch for small and midsize businesses
Use cases and pricing for NSX have been aimed at large enterprises. The SMBs have not been in the radar of VMware. As Guido Appenzeller, CTSO, Networking & Security Business Unit, VMware informs, “For the true "S" in the SMB, I'm not sure they'll have a data center or run a hypervisor in the future. If they do, they would probably consume it more or less as a service. If you're a 20 or 50 person organization, I don't think you'll have an on-premises data center in the future.”
Deploying into Non-VMware Environments
Integrating NSX into non-VMware environments or mixed environments is not a piece of cake. While many customers had experimented with multiple hypervisors, the market eventually is shaking out as most customers are standardizing in order to reduce complexity and cost. While most agree that customers are looking to consolidate, the varying numbers make it difficult to determine where the market ends up at this point. Thus, in environments where VMware is either not being deployed or is not the primary hypervisor, customers resist NSX, viewing it as an expensive and limiting choice.
The July 22nd, 2016 Debacle
The Register reported on July 22nd, 2016 that VMware has advised users of its NSX network virtualization not to upgrade it to the version 6.2.3 released in early June. A vulnerability (CVE-2016-2079) was addressed by the update that allowed remote attackers to obtain sensitive information.
In an article, Knowledge Base explained the problem as a traffic disruption that may be encountered upon a vMotion operation on compute virtual machines followed by changes to configuration of the Global Address Sets in the SG referenced for that virtual machine. The problem stemmed from the introduction of a new Global Address set, called Addrset which if upgraded to 6.2.3 would continue to refer to the old local copy of Addrset and ignore new updates in the Global Addrset.
There was some good news in the form of VMware's explanation of a workaround, but despite the existence of that fix, Virtzilla's still advised that customers using Distributed Firewall and Security Groups must not install or upgrade to NSX for vSphere (NSX-V) 6.2.3.
The Future: An overlay between in-house servers and AWS
It’s quite simple architecturally! VMware have an agent running in the AWS instance that fulfills the same function a vSwitch does for on-premises deployments. The issue that the organization is encountering is Amazon doesn't have any API where a virtual switch at the hypervisor level could be inserted by VMware, thus operations inside the guest operating system could not be run.
“It's kind of funny, initially within VMware there was a lot of consternation, a lot of people saying that's not how we do things, we work at the hypervisor level. But once the engineers started looking at it, you can essentially deliver the same functionality and the same security level with a small difference by running inside the guest. To me this is an important part of what we're going to do in the future,” mentions Appenzeller.
This hybrid cloud networking application is quite important to the future of NSX as this will enable VMware to provision compute capacity on demand anywhere in the world using an Opex model, which Appenzeller feels is incredibly compelling. Appenzeller informs, “In the past, networking was about getting a packet from one place in your data center to another. Today, managing IP connectivity is the least of your problems. The real challenge today is to segregate these networks, firewall these networks, manage compliance and keep them secure from attackers.”
VMware held a virtual monopoly on the market, from the early days of x86 virtualization. But over time they have fallen to less than 60 percent. With other options such as Hyper-V, KVM and Xen, expectations are that VMware’s share will continue a gradual downward slope, probably ending up in the 40-50 percent range.
VMware is a well-known and respected name among server administrators but it must win over a new audience of network and security professionals.