By: Chris Colotti, Consulting Architect, VMware Global Center of Excellence
The other day I was sent a link to a 9-slide deck titled “Life before and after vCloud Director”, put together by someone I do not know that takes time to point out some specific challenges with vCloud Director, mostly with networking and vShield Edge. From what I have learned this deck was previously circulated and has recently re-surfaced. It tries to explain that datacenters after vCloud Director are “Extremely Fragile” due mainly to the fact we use vShield Edge. As a vCloud person myself I felt a bit obligated to address some of these for some of you in a more structured approach. Some of the noteable points that are presented as “facts” in the slides are as follows:
- “The Entire Networking Functions of vCloud Director relies on a single VM, and the Entire Datacenter performance and capabilities are then as powerful as this device…”
- “One vShield is needed for every network”
- “It Can Fail”
- “It has no redundancy capability”
- “It is the firewall, router, DHCP, and Load Balancer to the vCD system”
- “vCloud does not support other 3rd party alternatives”
- It creates very complex network connectivity”
A vShield appliance is only needed if you choose to NAT route the Organization networks or the vApp networks. These NAT routed networks are not technically required, but are used if the design considerations call for it. Of course using them within vCloud Director is a preferred means to achieve easy multi-tenancy. Yes, vShield Edge devices and vShield Manager could fail. Let’s be honest…ANYTHING can fail, so that statement is pretty broad and without much merit. However, it is a VM protected most likely by VMware HA, as are so many other production Virtual Machines today. There are also multiple blog posts about how VMware Fault Tolerance can be used to protect the vShield Manager as well as the deployed vShield Appliances themselves.
The appliance is the firewall, router, DHCP, and Load balancer for Selected Networks and Organizations, but not for the “vCD System”. You can always use direct connected networks and external firewalls, as well as load balancers and VPN devices. Again, vShield is NOT a requirement, it is simply a tool to assist in the design of a multi-tenant vCloud Director deployment. We have also had folks deploy other Virtual Machines in the cloud itself to handle some of these functions, including virtual load balancers.
I have always said in public forums the networking is complex and is something that people need to start understanding. This is no different than when VMware administrators needed to start to understand and learn about VLANs, and trunking back in the early days. As things evolve they inherently become more complex. That's the nature of the beast and the new learning curve we all have to deal with. Has storage become less complex over time? What about networking in general with VXLAN, or other new technologies? People in general are afraid of new complexity because it is hard, and most people fear change and learning something new. Yes, it’s complex, life is complex….learn it and move onto the next thing to learn that is more complex.
Let’s be honest here. Yes, there are some challenges with vCloud Director in some cases more than the networking alone, nobody will deny that I think. The difference is many good architects have designed around them with what I call “Creative Critical Thinking”. The points above are narrowly focussed on a few aspects and don’t tell the whole story in 9 slides. I would submit that anyone can address many of the concerns, and many have including some large service providers. it’s about architecting around the challenges. Some of which may even be addressed in future releases of vCloud Director. Talk to a couple of vCloud Director customers and community experts to understand how these things can be addressed.
Chris is a Consulting Architect with the VMware vCloud Delivery Services team with over 10 years of experience working with IT hardware and software solutions. He holds a Bachelor of Science Degree in Information Systems from the Daniel Webster College. Prior to VMware he served a Fortune 1000 company in southern NH as a Systems Architect/Administrator, architecting VMware solutions to support new application deployments. At VMware, in the roles of a Consultant and now Consulting Architect, Chris has guided partners as well as customers in establishing a VMware practice and consulted on multiple customer projects ranging from datacenter migrations to long-term residency architecture support. Currently, Chris is working on the newest VMware vCloud solutions and architectures for enterprise-wide private cloud deployments.