I am frequently in discussions about NSX and implementation – The requirements, function, where the network team lives, how it affects the current Virtual environment, etc. All of these have been covered very well in other blogs, FAQ’s and documentation.
However, one of the items that I don’t hear often is that a enormous benefit of NSX is safety. I’ll explain. Often times when you have the SDDC virtual network conversation with networking professionals, I have heard:
* “We can already do that”
* “Making changes for networks is not a big deal”
* “We make these changes all the time”
What I find most interesting about these statements is that they automatically assume that networking changes need to made be at the levels, location and devices where they have always been made. In most cases, simple changes, such as adding a vLAN, or network changes are made on the core switches. This, from a risk management perspective, is bad.
Everyone that works in the IT industry hates any change that causes an unexpected outage. This leads to unplanned work, which is always a huge time consumer and does not add any net value as it is just restoring previously existing functionality. The more you can reduce the chance of unplanned outages, the less risk you introduce into the environment. There is also an unseen benefit: trust. As you are able to make changes successfully in your environment, you gain trust from your business groups and peers, which in turn allows you to plan and implement more changes as they become less worried about a potential impact.
Why not eliminate the need for changes at critical, potentially sensitive, areas of infrastructure?
While it can be easily argued that implementing NSX has huge DevOps and operational benefits, one of the often unseen benefits is diminishing unplanned outages due to the NSX architecture. A full implementation of NSX usually includes deploying the OSPF components (short description: the ability to publish routes across the network without manual configuration). So, by separating the datacenter into its own OSPF zone, it accomplishes two things: 1. It cleanly separates the datacenter from the core with respect to networking. 2. It allows datacenter changes regarding networks, vLAN, etc, to be made in the datacenter and not affect the core. These two items are huge!
* You need a new network for development? Add the network in our datacenter using NSX
* You need to add new networks for compute resources? Add those networks to the datacenter using NSX
* You need to isolate a network from other traffic? Make the change in the datacenter using NSX
See the benefit? A famous quote that comes to mind is from the NORAD computer, the WOPR: “The only winning move is not to play”. By moving where the change needs to be made, you change the game and no longer need to “play” in potentially dangerous areas that can cause major outages.
Next time you have a conversation about NSX, rather than talking speeds and feeds, talk risk. You might be surprised by the positive reaction you get to risk reduction.
Robert joined VMware in 2016 as a Technical Account Manager based in Sacramento, California. His area of specialty of SDDC, NSX and operations with a focus on security, compliance and optimization. He enjoys speaking at VMUG’s and discussing the transformational aspects of technology with customers. Robert’s background includes working for the State of California as well as a large global retail company in their architecture and engineering departments.