By Ed Hoppitt, EMEA Lead – Cloud-Native Apps and DevOps at VMware
VMware vSphere Integrated Containers (VIC), now at version 1.2, is seeing a significant level of interest from customers wanting to leverage it to repackage legacy applications as they start their journey toward applications built around new, modern frameworks. VIC is a feature of VMware vSphere that allows IT operations to deploy container workloads that integrate with their Software-Defined Data Center across security, networking and storage while allowing the consumers of those containers to use the popular Docker CLI and API to run container images.
As a first step in moving workloads into containers, VIC provides a range of benefits over containerizing traditional applications in a bare-metal container runtime.
Security Benefits of VIC
VIC makes use of the advanced functionality in the VMware vCloud Suite and surfaces that functionality to container workloads running in your environment. Container workloads can be isolated and encrypted from end to end to maximise data integrity. These benefits can be built into policy-driven deployments with VMware vRealize Automation to ensure that control is exercised over the deployment of containerized workloads without removing the agility demanded by the developers and the ability to self-service via a container CLI or API.
VIC also comes with the ability to deploy developer sandboxes and container-build environments. It includes extensive identity and access management features, such as AD/LADP integration and SSO. The integrated Harbor registry provides a best-in-class registry with detailed role-based access control (RBAC). Image replication allows you to synchronize all the Harbor registry instances across the enterprise, giving you a maintained copy of your enterprise registry out of the box.
Improving Security by Isolating Containers in Virtual Machines (VMs)
VIC provides VM-level security for container workloads as a result of an architecture that allows a containerized workload to be deployed within a traditional VM. Although containers provide process isolation, a virtual machine wrapper provides a significantly stronger and more easily auditable construct for encapsulation, not to mention a reduced attack surface.
The integration with VMware NSX provides a software-defined networking solution to ensure that both container-to-container and container-to-legacy traffic is managed, policy driven and micro-segmented. As your application scales in complexity, only an integrated software-defined networking solution allows security to keep pace with the level of agility needed to deliver the business benefits of speed.
Storage virtualization with VMware vSAN provides an easily managed, multi-tenanted storage environment to ensure that storage workloads are deployed and controlled against known, policy-driven performance requirements.
VIC uses a container-specific micro-operating system with a Linux kernel that is patched and managed as part of vSphere Integrated Containers. As a result, you do not need to deploy a full Linux operating system. The container-specific operating system in VIC vastly reduces the attack surface within your environment and drives stronger isolation than is achieved when running a full operating system as the container host.
Maximizing Data Integrity with Encryption
Hypervisor-level encryption allows any workload to be encrypted with zero changes to the code. As opposed to traditional container encryption that is managed through flags in configuration files, encryption in VIC is managed with policies that live with the workload—and they can be managed and enforced by IT operations. A range of key managers can be used to encrypt running VMs based on the industry standard KMIP1.1, allowing the use of a range of both commercial and open source key management solutions. High-performance VM-level encryption is provided by making use of Intel’s AES-NI (Advanced Encryption Standard New Instructions).
In addition, VMware NSX ensures network encryption not just between container workloads, but also back to legacy workloads running within VMs and also between clouds—an essential requirement when your application landscape reaches between both containerized and traditional workloads, as well as public and private clouds.
When using vSAN, VIC can encrypt data at rest by using an XTS AES 256 cipher.
Ensuring Legacy Apps Thrive in a Container
Legacy applications expect a resilient infrastructure underneath them. Therefore, when containerizing a legacy workload it’s important to ensure that user experience isn’t compromised by a less-than resilient infrastructure layer such as bare-metal servers.
- VMware vSAN reliably stores both container and stateful data.
- VMware vMotion allows host to host portability of container workloads without a loss of state— critically important for traditional applications, and an unsolved problem if you are running a traditional application in plain-vanilla containers or Kubernetes.
- vSphere High Availability (HA) and vSphere Distributed Resource Scheduler (DRS) ensure that a legacy app repackaged as a container workload is fully supported by the underlying infrastructure without affecting the flexibility that the container API and CLI provide.
- VMware AppDefense security engine provides the potential for a totally new level of security and integrity management
Improving Cost Efficiency
The containerization of workloads is an extension of the journey to virtualization that many companies started in the name of operational efficiency. The cost of running an application goes far beyond the cost of running just the container.
Building on mature strategies developed around driving VM consolidation will pay dividends when looking at container workloads. For example, running container workloads from a single SDDC platform alongside traditional workloads avoids building a new silo of compute to address the need for a new consumption API, and allows re-use of existing investments in hardware, compute, network and storage. The result avoids the issues of stranded resources that were such a focus for IT in the early 2000s, when people started their virtualization journey.
VIC vastly reduces the management complexity of containers because it does not require the deployment of a whole OS onto every container host, decreasing the number of snowflake host operating systems that you need to manage, maintain, secure and license. Choosing the right tool, like VIC, for your app modernization projects is essential. Consult our earlier blog on this subject for even more insight.