We’re delighted to announce that VMware NSX can now leverage DPU-based acceleration using SmartNICs. This new implementation allows VMware customers to run NSX networking and security services on DPUs, providing accelerated NSX networking and security performance for applications that need high throughput, low latency connectivity and security. The DPU-based implementation also enhances network observability across different workload types while simultaneously increasing the host resources available to applications.
DPU-based Acceleration for NSX is a result of Project Monterey, an initiative that VMware began two years ago. VMware is delivering on Project Monterey with VMware vSphere 8, announced this week at VMware Explore. Combined with other future innovations introduced by Project Monterey, such as the ability to support VMware Cloud Foundation (VCF) networking and storage for bare-metal workloads, DPU-based NSX acceleration will free up networking and security teams and developers more than ever from depending on generic host computing resources to power operations.
While we’ll continue to offer full support for hypervisor-based NSX architectures, the option of running NSX on a DPU offers several major advantages for industries such as financial services, healthcare, government, and telecom providers that require accelerated network performance.
To understand the significance of DPU-based Acceleration for NSX, one must first understand how SmartNICs work.
A SmartNIC is a network interface card with a built-in processor – known as a DPU – that can be managed separately from the host CPU. This means that networking, security, and storage services can run directly on the NIC instead of relying on the host CPU, as they conventionally did.
Offloading networking and security services onto the DPUs significantly accelerates network performance while reducing the host resources required to run them. And when fewer host resources are consumed by network services, more resources remain available for production workloads, which improves overall workload performance and helps to reduce hosting costs.
In addition, SmartNICs can expose virtual devices via the PCIe bus in a way that makes them appear to be actual hardware devices from the perspective of the host. Software-defined resources can therefore be managed by the host as hardware. This approach enables all of the flexibility of software-defined networking while still allowing resources to be managed by the host as if they were “real” hardware.
By running NSX on the DPU, businesses achieve advantages in four key areas: network performance, security, observability, and the total cost of ownership.
Because DPUs are optimized for running network services – such as network overlays (VXLAN, Geneve etc.), network acceleration technologies (such as UPTv2/VMDirectPath), load balancing and NAT – they provide better performance than generic CPUs. For example, the DPU-based implementation of NSX can achieve line rate packet processing at lower packet sizes without requiring any additional passthrough technologies like SR-IOV. At the same time, it supports zero-downtime, high-availability features such as vSphere vMotion and DRS.
The bottom line here is that networking services will typically run faster on a DPU than they would on a host CPU, while simultaneously consuming fewer resources and supporting vSphere high availability capabilities.
Running network security services on a DPU provides enhanced performance and granular security and monitoring for network traffic. Additionally, instead of relying on simple packet inspection, the DPU-based NSX security implementation can contextualize network traffic based on the application generating the traffic and process traffic behavior accordingly in order to provide more accurate insights on security risks.
The DPU-based implementation will support L2-L7 firewalling, distributed IDS/IPS, URL whitelisting, custom FQDNs, and other NSX security features.
And again, because these networking security services run on optimized hardware, they achieve better performance when compared to using host computing resources.
The DPU-based NSX solution can monitor all traffic flows directly on the NIC. This means you gain total network visibility and observability – including enhanced network topology views, flow- and packet-level capture and analysis, and IPFIX support – without having to implement complex network TAPs or SPANs.
In addition, because networking services running on DPUs are isolated from hosts and applications, a DPU-based architecture makes it easier to delineate operational responsibilities between DevOps teams and VI admins who can focus on and manage host-level workloads and NetSecOps teams who can manage networking infrastructure and services on the SmartNIC.
As noted above, offloading networking and security services to DPUs means that more host resources (in the form of CPU, memory, and I/O cycles) are available for your workloads. As a result, you can fit more workloads on fewer servers, without compromising on the observability, manageability, and security features that vSphere and NSX offer.
Customers also benefit from operational savings as the implementation unifies management across different workload types and simplifies Day 2 operations with easier micro-segmentation implementation, granular IDS/IPS, and network observability without the need for TAPs/SPANs.
Businesses across a variety of sectors can benefit from the advantages described above. Examples of major use cases for the DPU-based NSX implementation include:
- Financial Services Applications: Financial services organizations can leverage DPU-based NSX acceleration to achieve ultra-low latency, and high-bandwidth networking, giving them the ability to support high-frequency trading applications that typically need to complete trades in fractions of a second.
- Security and Observability in Healthcare deployments: As healthcare organizations continue to expand their use of IoT-connected medical devices, cloud services, and cloud-native applications, traditional, perimeter-based security cannot keep pace with fast-evolving security threats. By delivering deeper visibility and security controls, the DPU-based NSX implementation will offer enhanced capabilities for staying on top of security risks in the healthcare industry.
- Zero-trust Security in Government: Likewise, government agencies face a steadily increasing string of attacks and threats. DPU-based Acceleration for NSX will make it easier for agencies to implement a zero-trust security architecture that isolates network services from workloads, while also maximizing visibility into network-based security threats.
- Telco Edge Clouds: Telecommunications companies that operate SDN- and NFV-based infrastructure can leverage NSX running on DPUs to achieve finer-grained control over networking services, while also achieving even better performance across their network infrastructure and lowering costs.
These are just a handful of examples of how the DPU-based NSX implementation can be leveraged in the real world. We’re excited to work with customers across the globe as they apply this new offering to their networks.
Our technology ecosystem partners have played an important role in Project Monterey from the beginning, and they remain vital as we work to bring NSX to SmartNICs. The initial release of the DPU-based NSX implementation will support industry-leading server and hyper-converged infrastructure platforms from Dell Technologies and Hewlett Packard Enterprise (HPE), and SmartNIC solutions from NVIDIA and AMD Pensando.
Want to know more about DPU-based Acceleration for NSX and what it means for your business? Check out this overview web page, release notes for full technical details, or view our collection of videos that dive into the offering’s features and benefits. This blog post covers updates in vSphere 8 that enable NSX acceleration.
You can also visit us at an upcoming VMware Explore event to participate in sessions or chat with us directly about this most recent Project Monterey achievement, as well as what to expect going forward as we develop even more ways for customers to leverage SmartNICs to optimize networking performance, security, and observability.
- High-performance security capabilities are available as a tech preview feature in NSX 126.96.36.199. These features are currently not recommended for use in production environments. Please reach out to your VMware representative for more details. ↑