One of the more overlooked placement discussions that happen within the design or re-engineering phases of virtualization projects involves systems that are on an external network.

The placement of external systems can be addressed many different ways, including the use of virtual private network (VPN) authentication servers, web servers or remediation systems for network access control. Consider the following architecture diagram where larger virtualization hosts contain all types of systems within the virtualized environment:

While the networking of these virtual machines may be configured with the same protections as their physical counterparts, there are some concerns with this configuration. This can become even more of a concern in the event where the firewall is a virtual machine as well in the same environment. An architecture that can better protect the internal and external workloads would be to have a separate environment with connectivity and workloads only to the external interfaces. Consider the figure below for the same workload:

In this manner, more hosts may be needed for the same workload to account for maintenance mode and other factors when separated. These additional hosts may be configured with smaller hosts and smaller processor inventory to not incur any additional costs or licensing for anything that is licensed by processor.

If firewall or other core network appliances are virtualized, their placement requires a little more thought because they may have a footprint on both the internal and external networks. In the case of shared resources of internal and external workloads, an outbreak type event on an external system may have resources consumed at the expense of the internal workload. By having the internal and external workloads separated, the risk of attacks within the operating system or an attack that targets virtual machines would be initially contained by internal and external workloads.

This strategy can be applied to all virtualization products, and can also be applied more specifically to network and storage configurations to protect in the same fashion. 

If you have not noticed, I have been on a Sun xVM VirtualBox kick recently. I think it is beneficial to virtualization administrators and managers to be familiar with at least two hypervisors — so why not learn more about xVM?

VirtualBox has a smooth interface for a version 1 release, but the one area that would require the most adjustment is the virtual networking. Let’s take a closer look at network functionality in VirtualBox.

Virtual networking on VirtualBox has a few key differences that VMware users would need to develop an understanding about before fully utilizing the potential of the product. The first difference is the concept of the virtual networking hardware. VirtualBox allows a virtual machine (VM) to have one of four network interface cards virtually assigned. These are the AMD PCNet PCI II, AMD PCNet FAST III, Intel Pro/1000 T and the Intel Pro/1000 MT. This array of virtual adapters allows a VM to have broad support for multiple operating systems, but the corresponding bridging functionality may make network administrators a little uneasy.

Spanning Tree
For Windows systems, VirtualBox uses a spanning tree algorithm from the native operating system bridging that may cause issues on systems with multiple interfaces in managed network environments. The bridged network functionality puts the VMs on the same physical network as the VirtualBox host system. In this fashion, a VM would be able to retrieve a DHCP network from the physical network and interact as if it were placed on the network parallel to the host. Windows XP and Server 2003 products’ bridging functionality is explained on the TechNet website.

Another key difference is that in order for a VM to use the bridged network is the addition of a bridging interface. Adding an interface is fairly straight forward with the use of the VBoxManage command. The following command would add a bridging interface named “VM-Bridge”:

VBoxManage createhostif "VM-Bridge"

Once this command is completed, the VM-Bridge interface is now present in the network connections inventory of the Windows control panel. Then a VM can be configured to use bridged networking with the newly created interface as shown in the figure below:

At this point, the VM-Bridge interface can transparently place the VM on the same network as the host when the Windows bridged connections are correctly configured. Note also that in the network configuration you can fully edit the MAC address of the VM. While exceptionally convenient, this can introduce risk for some environments and situations.

Now that we have gone through a quick look at VirtualBox’s implementation of bridging network connections for VMs, I would have to nudge the VMware products to be a little more seamless in the category of bridged networking. By having the VMware bridge protocol binding used instead of a separate series of adapters for the same purpose, VMware’s bridging fits better for most environments.

Make no mistake, the comprehensive VirtualBox networking implementation is fully competitive with VMware. There is much more to the VirtualBox networking implementation available for download in the online user guide in section 6.

Big players in the virtualization world griped about the absence of performance benchmarks for virtual machines on CIO Talk Radio yesterday and discussed some of the issues surrounding virtualization standards.

Guests on the show included: Simon Crosby, Chief Technology Officer of the Virtualization and Management Division of Citrix; Tom Bishop, Chief Technology Officer, of BMC Software; Dr. Tim Marsland, Sun Fellow, Chief Technology Officer, for the Software Organization at Sun Microsystems Inc.; and Brian Stevens, Chief Technology Officer and Vice President of Engineering at Red Hat.

The glaring ommission in this lineup: VMware, Inc.

The panelists on CIO Talk Radio didn’t mention VMware by name, but did complain that some companies aren’t being open with their performance data, thus prohibiting the virtualization industry from publishing comparative performance data.

VMware’s licensing agreement for ESX allows users to conduct internal performance testing and benchmarking studies, and allows those users (and not unauthorized third parties) to publish or publicly disseminate the data provided that VMware has reviewed and approved of the methodology, assumptions and other parameters of the study.

Users that have published benchmark data, like Sr. Systems Engineer Mark Foster did on his blog, have had to unpublish results because of VMware’s stipulations.

VMware introduced its own free benchmarking tool, VMmark, last year for certain applications.

Meanwhile, the SPEC Virtualization Committee has been working to create standard benchmarks for VMs. The committee’s goals are to deliver a benchmark that will model server consolidation of commonly virtualized systems such as application servers, web servers and file servers; provide a means to compare server performance while running a number of VMs; and produce a benchmark designed to scale across a wide range of systems.

SPEC expects these benchmarks to be available by the end of this year, but the timeline is not set in stone, according to the website.

Sun’s Marsland said benchmarking progress has been slow because there isn’t an easy way to define a workload, and a large number of benchmarks are required.

“We are talking about a virtual computer, with lots of aspects that need to be benchmarked,” Marsland said. “Every component that gets virtualized needs to be benchmarked.”

Having an open, standardized way of benchmarking is expected to push virtualization further into the mainstream because it will eliminate false perceptions about performance, panelists said. For instance, “there is the thought that I/O intensive workloads can not be virtualized, and the absence of benchmarks prevents us from proving otherwise. It is important for us to have good benchmarks out there,” one panelist on the show said.

Though users look at benchmarks, this type of data is most useful to vendors and OEMs who can use the performance standards to improve the technology, and of course, market their products.

“More open scrutiny of performance results will help us to improve as an industry overall,” Bishop said. “There are ways to measure performance in non-virtual environments, and people are adapting those techniques to get the most out of their virtualized environments.”

In terms of application performance in virtual environments, the issues differ depending on the data center infrastructure. The network, the servers and the storage all affect performance, said Stevens of RedHat.

“The areas that have to progress are around I/O. Intel and AMD are improving around page tables, and we will see improvements around I/O adapters soon,” Stevens said.

Another problem with virtualization? There are support challenges. If an application running in a VM starts acting wacky, the application vendor may not support it, Crosby said.

Licensing and support in virtual environments has been a major gripe with Oracle, for example, which does not support running its applications with VMware.

“It is a reasonable concern…right now there is irrational market based control. Some folks are abstaining from supporting certain apps [in virtual envionments]. As customers demand support, things will hopefully get rational, by next year I hope,” Crosby said.

Almost every virtualization admin that I interact with has materially changed their strategy at some point with their first generation of server virtualization before the entire project is complete. Among the strategy changes are those related to network zoning, which will become a more important consideration as organizations approach higher levels of virtualization.

Specifically, the placement of external facing systems on the same virtual host as systems which house internal systems can put both sides of the network at risk if a compromise is made to the hypervisor from the external facing systems. This becomes especially important as the virtual appliance space allows organizations to easily consider firewall, intrusion detection, VPN and other external facing roles to be placed into the virtual environment as well as the frequent goal to virtualize everything.  

A more isolating strategy creates a separate environment with hosts dedicated to hosting virtual machines (VMs) that are external facing and not simultaneously host VMs on the internal network. While the hosts may be connected both to the internal and external networks in a DMZ network role, a compromise to the hypervisor or host system would not have as direct of an impact to the VMs running only on the internal networks. This also helps in emergency remediation by allowing a virtual host to be fully isolated or powered off until the issue is identified without impacting the internal network VMs.

When planning your next generation of server-side virtualization, consider the risks of placing internal and external network zones on resources that may contain external facing and internal only VMs. This type of architecture can bake in some inherent security into your environment that may save the day in the event of a zero-day vulnerability situation that affects the guest operating system or the virtualization hypervisor.

Portsmouth, NH-based VKernel announced availability of its Capacity Bottleneck Analyzer Virtual Appliance, which allows system administrators to see capacity issues in VMware ESX Server-based environments so they can make necessary changes for optimum performance.

Network bottlenecks are issues in virtual environments due to increased capacity from virtual machines. A number of networking vendors have developed network products specifically for virtual environments to alleviate these issues.

A newer vendor called Altor Networks Inc. introduced a Virtual Network Security Analyzer last month that also lets IT view what is happening in virtual environment.

VKernel’s software monitors CPU, memory and storage utilization trends in VMware ESX environments across hosts, clusters and resource pools. The virtual appliance gives users a single-screen management dashboard that displays all of the details on capacity to help plan for new hosts, clusters and resource pools. Users can also receive alerts via email and SNMP.

The VKernel Capacity Bottleneck Analyzer Virtual Appliance is currently available with pricing starting at $199 per CPU socket.

Sun Microsystems, Inc. announced this week it has added new features to its Virtual Desktop Infrastructure software, originally released at VMworld in September 2007, including Sun’s Virtual Desktop Connector (VDC).

Sun’s VDI 2.0 provides interfaces to PCs, mobile devices, and thin clients including Sun’s own Sun Ray thin client offering. With it, centralized desktops can be delivered through the LAN or WAN to Windows Vista, Windows XP, Mac OS X, Solaris or Linux on the desktop, which is fairly unique in the Windows-centric desktop market, said Chris Kawalek, Product Line Manager, Desktop & Virtualization Marketing, Sun Microsystems.

Sun’s VDC, meanwhile, is is more or less a connection broker that interfaces with ESX 3.5 and 3.0.x and Virtual Center Server 2.0.x and 2.5 (VMware infrastructure 3) to create pools of virtual machines that can be defined based on templates.

With Sun’s updated VDI offering, administrators can statically or dynamically assign users to specific VMs, either for a set number of days or indefinitely. Another feature is the ability to ‘reset’ end users’ virtual machines (VMs) if problems arise. For instance, if the user contracts a virus while on the web, the VM can be reset to a date before the issue occurred and operate as it did on that date, Kawalek said.

The tight integration with VMware virtualization software can be attributed to the OEM agreement Sun signed with VMware Inc. in February. Thus, with VDI 2.0, users can actively manage VMware virtual machines, but VMs from other vendors like Virtual Iron can only be statically created and assigned, Kawalek said.

Kawalek said Sun moved into the VDI space last year because it embodies Sun’s ‘the network is the computer’ message. Another reason? It’s the popular thing to do. “Everyone is very interested in centralizing their desktop environment, which is why vendors like Hewlett-Packard and VMware are in this space,” he said.

Sun’s VDI Version 2.0 became available March 18 at $149 per user, including one year of support. Sun Ray thin clients start at $249. Directions on how to install VDI 2.0 are available online, and a free trial can be downloaded from Sun’s website.

You may be considering new blade servers for your virtual host environments, and you are not alone. Gone are the days of the perception that blade servers have less horsepower than their general purpose counterparts. I recently attended a local virtualization user group meeting, and we talked at length about some new blade server products. Here are some takeaways of what virtualization administrators need to know about the new blade products:

Processor and memory inventory

The newest blade servers can run 4 sockets and 4 cores in one blade, and one model in particular that was favorably discussed is the HP ProLiant BL680c series. This is great for virtualization implementations with an incredibly small footprint. With the BL680c, each blade can house up to 128 GB of RAM. ESX 3 and Microsoft Windows Server 2008 are supported operating systems for virtualization implementations for this series of blades. One important note on the HP blade series is the Virtual Connect product for network connectivity. Fellow TechTarget contributor Scott Lowe covers this well in a recent tip.

You have to love the small footprint

With the momentum of virtualization migrations not slowing, the small footprint is very welcome in crowded data centers. The BL680c can have 80 hosts of the speck above in one 40U rack with four enclosures! Using general purpose servers would take at least double the space to get the same number of virtual hosts.

Limitations?

Given the very small footprint of the blade server, there are some limitations to connectivity. While the BL680c excels in most areas, it is limited to only three expansion interfaces for additional networking and fiber channel connectivity. Most implementations, however will be able to meet their connectivity requirements from the available options.

A smaller issue may be power sources. Blade servers will generally take different power sources compared to standard general purpose servers. The trade off is that in feeding a blade server a L15-30P outlet you may not need a power distribution unit (PDU). The PDU may take the same L15-30P interface, so some planning on your power sources and availability to get the correct sources available.

The verdict

The current generation of blade servers are serious contenders for virtualization hosts. The small footprint only makes the case more compelling. As the blades now are able to offer comparable performance specs of the traditional server counterparts, we should consider them for the host hardware environment.

I recently received a press release from London-based TechNavio, the creator of a Web-based information and research tool, that outlines the top five virtualization trends. Here they are, along with my own thoughts on these trends:

1. Business process automation.
TechNavio’s take. “Virtualization is expected to speed up the wider movement toward business process automation and remote collaboration. The TechNavio findings appear to indicate that the market in general is expecting a major investment in this area within the next two to three years.”
My thoughts. On the subject of business process automation, if TechNavio means “scripting,” I can agree with this trend. SearchServerVirtualization.com contributor Andrew Kutz has received a few questions from readers about automation, which suggests that there are plenty of other IT pros with similar questions. Also, he increasingly writes tips about scripting for X or Y, often concerning disaster recovery or hot backups. Most recently I’ve seen questions about scripting virtual machines (VMs) to power on and off at a certain time.
Food for thought. If scripting VMs advances, what will happen to the number of system admins and data center managers needed to run a data center? Perhaps all you IT programmers should slow down the scripting process before you script yourself right out of a job!

On the subject of remote collaboration, I definitely agree with TechNavio. I wrote an article on emerging client-side desktop virtualization technologies. In response, I received comments from readers who said that they had found a surprising number of companies that are exploring client-side virtual desktop infrastructure (VDI) technologies for implementation in 2008. I think it’s due time for VDI; just consider the number of stolen or misplaced laptops, or CDs that went missing in the mail containing personal information. . . .I don’t know about you, but identity theft certainly isn’t on my holiday wish list. And I certainly would appreciate company investment in this kind of technology, considering the increasing mobility of technology.

2. Network-delivered computing.
TechNavio’s take. “Virtualization is also expected to boost the move toward network delivered computing or what is being termed PC-over-IP. This in turn will place vendors such as Cisco, NEC and Sun at the heart of the market, but interestingly leaves the door open for a host of innovative start-ups.” <br>
My thoughts. I would agree here as well. My aforementioned article discusses vThere, which focuses on primarily providing client-side virtual desktops via their own (i.e., third-party) servers that a client notebook would connect to when opening the virtual desktop. During interviews, my subjects all mentioned the trend of software vendors moving to providing their software via virtual machine. We have already seen a few virtualization companies provide beta versions of newer software via VM. As virtualization continues to grow in adoption, I can easily see all kinds of independent software vendors providing their products via virtual machine download.

3. Legacy applications and virtualization.
TechNavio’s take. “As application virtualization speeds up, applications development and maintenance or ADM, vendors have a real opportunity to grow into a new market defined as optimizing legacy applications for virtualization.”
My thoughts. We haven’t focused much on application virtualization on SearchServerVirtualization.com and SearchVMware.com, so I don’t have an informed opinion on this subject. Readers, do you?

4. Small and midsized businesses (SMBs).
TechNavio’s take. “The biggest long-term opportunity for virtualization vendors lies in the SMB space, specifically end-to-end solutions that allow SMBs to outsource and virtualize their entire network.”
My thoughts. I disagree here. Clearly. there is opportunity and space for virtualization in the SMB market, but to say it’s the biggest long-term opportunity? That’s a stretch. I doubt that larger businesses, once virtualized, will stop virtualizing. I think that a more accurate statement would be that virtualization vendors should target SMBs to further extend virtualization.

5. Labor market and skills.
TechNavio’s take. “As the market for server virtualization heats up, finding people with the right skills is set to get harder. With this environment TechNavio predicts that there will be increased opportunities for IT services companies as well as for IT staffing solutions providers.”
My thoughts. I don’t know if I agree that finding people with the right skills will become more difficult; it depends on the IT workers and their drive to stay on top of certifications that prove their worth. (Cough, the VMware Certified Professional (VCP) exam, cough, cough.) And whenever technology advances, desired skill sets change, so this prediction isn’t all that impressive. As far as increased opportunities for IT services companies, yes. It’s easier to go to a business and say, “Get me a sys admin with a VCP stamp of approval!” than it is to shuffle through résumés looking for those who are VCPs. And I definitely think that those who have the right credentials will find themselves in increasing demand: So stay on top of what you’re worth salary-wise given the move toward virtualizing mission-critical servers. Just because your current company doesn’t realize your worth, it doesn’t mean that Company Y — which has more virtualized servers and a greater need for those with virtual environment management experience — doesn’t.

TechNavio’s press release also included a quote after these “top five trends.” Co-founder of Chicago-based Infiniti Research S. Chand (who conducted the research for this report) said, “Currently the biggest beneficiaries of server virtualization are the enterprise users whose businesses tend to be dependent on running compute-heavy, high availability, application intensive data centers. These include: ISPs, hosting and managed service providers, bank’s trading divisions, gaming, online retailers and the like.”

So if you are looking to get the most (read: more money) from your virtualization experience, check job offers with companies that deal with these types of services.

Designing the storage to go along with your virtual environment? In this tip, Anil Desai explains a variety of ways to avoid storage (I/O) bottlenecks. In his analysis, Desai covers all the bases: analyzing a virtual environment’s I/O characteristics, designing RAID configurations and fault tolerance and, finally, planning for host and guest-level backup.

Meanwhile, over at SearchVMware.com, Scott Lowe regales us with a great tip on the ins and outs of VST, EST and VGT VLAN tags in VMware ESX. He explains why VST tags are usually your best choice but also describes cases where EST and VGT might be more appropriate. The Internet is awash in virtualization content, but IMHO, this tip really exemplifies why TechTarget launched SearchVMware.com: to provide VMware administrators with the nitty-gritty technical information they need to properly configure their systems. I hope it’s helpful to you.

Editors’ note: Virtualization Log is a regular feature of the Server Virtualization Blog, where we recap the news, tips and columns that were recently published on SearchServerVirtualization.com and sister TechTarget publications.