Adaptive Segmentationmicro-segmentation August 30, 2017

Notes from VMworld: The Micro-Segmentation Edition

Mukesh Gupta,

Three days down and VMworld 2017 is still running at its peak here in Las Vegas as we head into the homestretch. Team Illumio has been busy demoing and discussing our adaptive micro-segmentation technology at the Solutions Exchange and beyond, and I’ve covered a lot of ground (in miles and conversation). Here are a few of my observations from a series of announcements and sessions:



I finally had the opportunity to dig deeper into NSX-T. NSX-V delivered overlay networking and distributed firewalling using an agent in the ESX hypervisor. Its sole reliance on ESX made it impossible for it to work in public cloud and on bare-metal servers. It was loud and clear from customers that they wanted a solution that worked for their hybrid infrastructure (any hypervisor, bare-metal, VMs, containers, public cloud, private cloud). So, it seems that VMware decided to build NSX-T from scratch to address these challenges with NSX-V. NSX-T uses OVS (open virtual switch) in the operating system to deliver overlays and distributed policy enforcement. This approach allows NSX-T to work on hybrid infrastructure. 

NSX for cloud was announced using NSX-T's ability to secure native workloads running in AWS. It appears that NSX for bare-metal is still on the roadmap.

I’m glad to see that VMware finally realized that the operating system was the right place to deliver policy enforcement, an approach that Illumio pioneered four years ago. However, there are still several question marks looming over NSX-T:

  • OVS only works for Linux workloads. So, NSX-T only supports RHEL and Ubuntu operating systems. How will it support Windows workloads, which are a large majority of workloads running in data center and cloud environments?
  • OVS only works on relatively newer versions of Linux. Most of the customers we work with are still running older versions of Linux in their data center (e.g., RHEL 4.x, 5.x). How would NSX-T support those versions?
  • Iptables, which Illumio activates for policy enforcement, has a feature called “ipsets” that allows iptables to work at scale (millions of IP addresses). OVS doesn’t have an equivalent of ipsets. So, OVS won’t be able to scale to large scale policy enforcement.
  • Even though VMware uses “NSX” to refer to both, NSX-T and NSX-V are two completely different products. I have heard that NSX-T is “the new way.” Does that mean NSX-V, which is being sold to a large number of customers today, is going to be EOL’d a few years down the road? My guess is most likely yes – which begs the question: how would NSX-V investments migrate to NSX-T?
  • Finally, visibility that’s critical to micro-segmentation is not built into NSX – V or T. VMware’s answer to that is vRealize Network Insight. I did see some loose integration between vRNI and NSX-V, which is a good thing for customers. But, I didn’t see anything with NSX-T. What we have learned over the years is that visibility and segmentation need to be tightly coupled together for customers to successfully micro-segment their infrastructure.


Another interesting announcement was NSX-T for Kubernetes and PCF. I attended the related sessions and watched the demo. Customers are really struggling with container networking as there are way too many options out there and there is no clear guidance from the industry on what’s the right thing to do. So, having a good option for container networking from a vendor like VMware is a good thing – even though I am not excited about having an OVS instance per namespace. NSX-T creates a switch (OVS) and a router per namespace. Isn’t that a lot of networking for one pod? I am not a big fan of the overlay networks because they create a operations and troubleshooting nightmare, especially when things on the overlays need to talk to things that are not on overlays. 

I'm seeing customers moving towards flat/routed networking for containers as their container deployment matures. However, the industry is pretty imbalanced on the overlay vs. flat container networking. The number of solutions available for overlay-based container networking (Flannel, Docker Enterprise, Contiv, Contrail, Nuage, and now NSX-T) are way higher than the options available for flat/routed container networking (Calico and Romana). I wish the industry was working harder towards a container networking solution that’s simpler and effective. Stay tuned for a separate blog post from me on this topic.


VMware announced the availability of VMware Cloud on AWS. This is an interesting offering that VMware revealed the intention of building last year. VMware and AWS have joined forces and have co-engineered this service that allows VMware’s customers (that are already familiar with everything VMware) to run in AWS cloud. AWS is providing the hardware and basic orchestration and networking that goes along with the hardware. Customers will install ESX on top of that hardware and then run VMs on top of the ESX. This will give VMware customers the ability to go into AWS without re-training their teams and rebuilding their tools. Good move, VMware and AWS.


Illumio Adaptive Security Platform was named a “hot product at VMworld 2017” by Network World this week. Today is the final day at the Solutions Exchange, so don’t miss your chance to see it for yourself. We're showcasing breakthrough visualization and policy creation features and real-time application dependency mapping in our legendary theater-style demo non-stop from 10:00 AM – 5:00 PM. 


If you'd like to meet, I'm here for another day – drop me a line!

Adaptive Segmentationmicro-segmentation
Share this post: