The other day I was sent a link to a 9-slide deck titled “Life before and after vCloud Director”, put together by someone I do not know that takes time to point out some specific challenges with vCloud Director, mostly with networking and vShield Edge. From what I have learned this deck was previously circulated and has recently re-surfaced. It tries to explain that datacenters after vCloud Director are “Extremely Fragile” due mainly to the fact we use vShield Edge. As a vCloud person myself I felt a bit obligated to address some of these for some of you in a more structured approach. Some of the noteable points that are presented as “facts” in the slides are as follows:
- “The Entire Networking Functions of vCloud Director relies on a single VM, and the Entire Datacenter performance and capabilities are then as powerful as this device…”
- “One vShield is needed for every network”
- “It Can Fail”
- “It has no redundancy capability”
- “It is the firewall, router, DHCP, and Load Balancer to the vCD system”
- “vCloud does not support other 3rd party alternatives”
- “It creates very complex network connectivity”
A vShield appliance is only needed if you choose to NAT route the Organization networks or the vApp networks. These NAT routed networks are not technically required, but are used if the design considerations call for it. Of course using them within vCLoud Director is a preferred means to achieve easy multi-tenancy. Yes, vShield Edge devices and vShield Manager could fail. Let’s be honest…ANYTHING can fail, so that statement is pretty broad and without much merit. However, it is a VM protected most likely by VMware HA as are so many other production Virtual Machines today. There is also multiple blog posts about how VMware Fault Tolerance can be used to protect the vShield Manager. Unfortunately at this time FT does not work properly on the edge devices themselves, but we should see that change in the future.
The appliance is the firewall, router, DHCP, and Load balancer for Selected Networks and Organizations, but not for the “vCD System”. You can always use direct connected networks and external firewalls, as well as load balancers and VPN devices. Again, vShield is NOT a requirement it is simply a tool to assist in the design of a multi-tenant vCloud Director deployment. We have also had folks deploy other Virtual Machines in the cloud itself to handle some of these functions including virtual load balancers.
I have always said in public forums the networking is complex and is something that people need to start understanding. This is no different than when VMware administrators needed to start to understand and learn about VLANs, and trunking back in the early days. As things evolve they inherently become more complex. That the nature of the beast and the new learning curve we all have to deal with. Has storage become less complex over time? What about networking in general with VXLAN, or other new technologies? People in general are afraid of new complexity because it is hard, and most people fear change and learning something new. Yes, it’s complex, life is complex….learn it and move onto the next thing to learn that is more complex.
Let’s be honest here. Yes, there are some challenges with vCloud Director in some cases more than the networking alone, nobody will deny that I think. The difference is many good architects have designed around them with what I call “Creative Critical Thinking”. The points above are narrowly focussed on a few aspects and don’t tell the whole story in 9 slides. I would submit that anyone can address many of the concerns, and many have including some large service providers. it’s about architecting around the challenges. Some of which may even be addressed in future releases of vCloud Director. Talk to a couple of vCloud Director customers and community experts to understand how these things can be addressed.