alphaspirit - Fotolia

Adios, legacy network architectures: Making the jump to NSX

Frustrated by the limits of hardware-centric network architectures, cloud provider FireHost has been testing VMware's NSX platform to improve its security.

Eager to build networks that were more agile and programmable, cloud providers were among the first to adopt software-defined networking (SDN) and network virtualization. In this edition of "The Subnet," we dive into the experiences of one of them. Jason Rieger, principal network and security architect at Texas-based cloud provider FireHost Inc., has been testing VMware's NSX platform with the hope of putting it into production environments later this year.

What are you working on lately?

What's been on my plate for upwards of the past year or so pretty hardcore has been software-defined networking and network virtualization. I spent the greater part of the last two years researching every vendor under the sun. They're a new take on an old paradigm. They offer a lot of the benefits that networking professionals have, for many years, been asking for. And, hey, now is the time.

Specifically, in regards to network virtualization, it is a re-architecture of our secure cloud hosting environment. FireHost is a secure cloud hosting provider, so we offer a purpose-built and highly secure infrastructure as a service offering to our customers, and that requires a very scalable, secure and high-performing environment for those tenant workloads to run on. I've been working over the past year with another of our architects -- from the compute and storage side, and me from the networking and security side -- and we've been engineering and developing this new generation for cloud architecture where network virtualization is a key player.

Why did you go with NSX? VMware's heritage is not networking, so what made you confident it was the right fit?

I get asked that all the time: 'Why NSX over ACI?' 'Why over Nuage Networks or Juniper's Contrail acquisition?' Well, [the vetting process] was difficult. It was far-reaching. It required a lot of due diligence and getting to know the product -- trials, tribulations and what have you. So it required a lot of research with the vendor itself, getting to [talk to people at] product manager levels and having a clear understanding of where their short-term roadmap as well as their long-term roadmap was concerned.

We chose NSX for a few major reasons. We are a VMware vSphere hypervisor shop. We are not a multi-hypervisor shop currently. Whether that'll change in the future, who's to say? But we are a vSphere environment today, so we knew that we would get a lot of economies of scale, as well as better integration because we use their hypervisor. That's not to say other vendors don't support VMware vSphere; they do. But what we [liked about VMware] was the concept of in-kernel firewalling and security services. And that's one of the things, since we're in that business, that attracted us -- me in particular -- to the VMware NSX platform.

Jason RiegerJason Rieger

It is a network security platform on which we can build and where third parties can write code and interact with the APIs that VMware provides on that platform to enhance [its] security services -- and that's what we're looking to do. We provide a very highly secure cloud environment today, but this will allow us to enhance those security offerings even further, as well as deliver them more quickly than ever.

The last thing I would cite as a reason for committing to NSX over some other technologies is that it's the most robust solution available today. A lot of the other vendors are just starting or are certainly behind in the game, and we're ready to go now.

What can you achieve with network virtualization that you can't with legacy network architectures?

There are several pain points associated with our existing architecture when it comes to the networking side of things, such as the way we configure tenant isolation. Network virtualization will allow us to do that in a different way that is more scalable as the company grows.

It will use the current capabilities of the underlying physical network hardware coupled with capabilities that are available in software from a firewalling standpoint. It's a hybrid approach, utilizing VLANs that are configured in the underlying physical network. In conjunction with that, we leverage software-based firewalling in the hypervisor to achieve isolation at a software level, so we have you covered both ways. If there's a failure in the software, you've got the underlying VLAN configuration in the hardware delivering the isolation.

Operationally speaking, it's also easier to manage when it's all in software, hence this attraction to software-defined networking and network virtualization. That's because one of the key things SDN does is decouple the hardware from software and takes things like firewall policies out from your underlying routers and switches. It puts that into software applications and usually a centralized controller to deliver those policies to the places where the customer's data actually travels. You're running a network environment that's built and operated and exists inside of software, and the underlying hardware environment -- the routers and switches -- they don't really know what's going on in the software environment. They're just there to forward packets. So it creates a very, very good separation of church and state, and it allows for faster development cycles.

How did you develop the job skills needed to implement this?

My first exposure to virtualization -- and it was server virtualization, obviously -- was back in the early 2000s, around 2001 or 2002. VMware wasn't a big name back then, and they had among the first hypervisors out there. It was VMware ESX and GSX back then, and then there was Citrix's XenServer. I started to dabble in server consolidation, which was a big thing in that timeframe, in which enterprises were looking to get more out of less hardware. They were consolidating physical hardware systems, doing physical to virtual migrations. They were taking, say, 10 physical servers and turning them into 10 VMs on one physical server. So server consolidation was a big part of what brought me into server virtualization back then.

Then after server virtualization came the foundation of what would eventually become network functions virtualization on the timeline. It comes before network virtualization, which is where we are now. In the mid-2000s, you started to see more virtual network appliances and functions. All this means is you take a physical switch or a physical router, and you port the code into a virtual machine so that it's no longer a physical device; it's a virtual appliance that does the same thing it was doing when it was a piece of hardware -- things like routers, switches and firewalls. So I started doing that and I said, 'Hey, I don't need all these physical switches' or, 'This router here is a good candidate for virtualization,' so I converted it into a virtualized router.

How did you get into IT and, specifically, networking?

I didn't study anything technology based in college. I actually have a bachelor's degree in marketing. I went to work for a mortgage servicing firm, but I didn't last there very long at all.

A buddy of mine worked for Perot Systems and said, 'Hey, come on board,' so I did. And I did the lowliest of the low when anybody enters the technology realm for the first time: I loaded backup tapes on a graveyard shift. That didn't last too long -- I could only physically do that for about six months. So then I moved into a helpdesk role for the National Car Rental and Alamo Car Rental contracts for Perot Systems. From there, I increased my skill set in everything -- in Microsoft and Cisco technologies -- but still didn't know where I wanted to be. That's when I first entered the employee development program at Perot Systems, and that's where I got introduced to networking.

I just found it fascinating -- how these electrical signals get from PC to PC, how it actually makes sense after it's sent, and how something could interpret an electrical signal on a piece of copper after it arrives.

One more before we finish: If you lived in the Game of Thrones universe, which family would you belong to?

You know, my wife watches this intently and I do catch it, so I know the families. I think it would be the Lannisters.

That's a bold choice. Care to explain?

Correct me if I am wrong in my interpretation of this family: ruthless?

Well, yes…

I'm ruthless in my passion for what I do. Nobody really gets in my way when I want to either learn something or if I believe something should be implemented, deployed or you name it, so I'm a Lannister in that sense of the word.

Next Steps

VMware NSX: Understanding the security implications

How NSX may change networking: A complete guide

Five network performance features in VMware NSX 6.1

This was last published in May 2015

Dig Deeper on Network Infrastructure