Virtual Appliances have appeared on the horizon as an unstoppable force. Where traditional appliances supplanted the office and data centre server, the virtual appliance has taken this to a new level and in turn rendered the incumbent effectively obsolete. Where appliances addressed critical needs not addressed by office servers, they also introduced further complexities and difficulties which are easily resolved by virtual servers. This white paper takes a look at the advantages of virtual appliances in comparison with physical appliances and addresses some of the key benefits. Benefits which include ease of evaluation and testing, ease of deployment, streamlined redundancy and backup, and the key benefits of scalability and mobility.
The Need for Scalable Architecture
Most organizations today spread their applications across servers based on functional boundaries. Both large and small companies use email servers, file servers, web servers and so on. Over time, the trend has been to dedicate a specific server for each function. This allows for a scalable, highly flexible architecture. As the organization grows, greater demands are placed on the infrastructure. Not just from an increase in the number of users, but also in terms of the geographic footprint. Branch offices will require their own servers for certain applications. Fault tolerance also plays a part, driving larger installations towards multiple, duplicated servers in preference over a single monolithic system.
As servers don’t generally require user interaction, the trend has been to use vendor supplied appliances for certain types of applications. An appliance allows for a relatively small footprint and also provides more of a plug and play infrastructure over the traditional server application experience. As load increases, new appliances can be brought on-stream and the load distributed evenly. The system administrator can maintain a surplus of similar appliances and install these in the event of failure or increased load. Dividing the application baseinto component parts and spreading these components across multiple appliances is a tried and tested method of delivering a scalable architecture.
However, industry research by VMware shows that the system usage per appliance can be as low as 15% of the available processing power. Effectively, the server budget is over six hundred percent higher than necessary. Maintaining a pool of idle servers on standby in case of increased load or for failure recovery, can adversely affect the efficiency even further. Amalgamating applications on each server can go a long way toward resolving the usage issues but at a cost. Running different applications on the same server loses the scalability of the appliance solution and can create security issues.
In addition, maintaining a homogenous environment of appliances is extremely difficult if not impossible. Complicating this is the need to upgrade different applications at different times. A new appliance can have a different platform configuration which will make it difficult to migrate users from an older appliance to a new one
A virtual appliance is one which subdivides the physical hardware into multiple virtual machines. Each virtual machine provides a self-contained appliance layer to the application. Virtual appliances can thus be distributed across the set of systems merely by transferring a virtual appliance image. Load balancing can be achieved between different servers with no need or requirement to physically move the appliance. The virtual image is simply transferred to the appropriate server.
Any given server can be running a widely disparate range of applications. Server loading can thus be tightly controlled by distributing tasks across physical servers. The resources can be equitably shared across the application pool. Memory utilization, disk utilization and of course processor utilization can be more accurately balanced and controlled
By encapsulating each application in its own virtual appliance, the needs of that particular application can be tuned more precisely. Virtualization provides all of the benefits of the traditional appliance with the following additional key benefits:
The advantages of virtual servers
Ease of Evaluation and Testing
In order to evaluate a new appliance, the manufacturer must first ship a sample appliance to the evaluation tester. Once the decision is made to perform the evaluation, arranging for a sample appliance can often take on the order of two weeks before the appliance is available for testing. On completion of the evaluation, the sample appliance must then be shipped back to the manufacturer. Even in the event that the appliance is purchased, generally a new appliance will need to be shipped as the sample appliance will be “shop soiled” and unavailable for sale. Further to this, often it is a requirement of evaluation that the appliance be tested within the data centre or at a remote geographic location. This adds further difficulties in installing and performing the evaluation as the tester must arrange for the appliance to be further delivered to the data centre and installed.
Virtual appliances allow the user to load the virtualized image onto an existing server or desktop and begin evaluation and testing immediately. On completing the evaluation, the administrator or evaluator can simply remove the virtual image and the system is restored to its original state.
By encapsulating the server image in a single file, it is possible to duplicate the image and revert to an earlier image as necessary. By using a virtual server, the test team can produce a pristine installation and duplicate that image. For each test, they can then begin the process starting with a copy of the pristine image and be confident that there are no vestiges of the previous test. For example, using the VMware application and the WebTitan webfiltering appliance, it is possible to bring up an evaluation copy of the product with little more than a download. Extensive testing in a real-life environment can begin almost immediately after preliminary configuration. At any point during the evaluation, it is trivial to revert to the original installation without the need to ship a new appliance. The evaluation can also be performed on the latest version of software available, as opposed to the version of software which was imaged onto the physical appliance during the manufacturing process some months previous. If a physical appliance is shipped by the manufacturer, it is possible that not only is the software out of date with the manufacturing process, but it is also possible that the appliance itself has been misconfigured in some way by a previous evaluation which will be difficult if not impossible for the evaluator to determine.
At the completion of an evaluation, it is often essential to retain the test data or evaluation data for some period of time until decisions have been made by other teams or by senior management. In the normal case, this requires that the sample appliance sit idle until such time as it is free to be reinstalled and redeployed. In some cases, the manufacturer will request the return of the appliance before even the evaluator has had time to complete the evaluation. In the case of virtual appliances, old evaluation and test images can be saved to tape or other backup medium for future analysis or further testing, thus freeing up the test system for other tests. Similarly, the test system can be easily restored to a pristine state by the application of a new image, thus preventing cross contamination of tests.
Ease of Deployment
Ease of deployment is a key requirement for any data centre or organization. The ability to be able to migrate an image onto a new virtual appliance cannot be overstated. Each virtual image contains all the necessary components to deliver the required service or function. The image can be effortlessly deployed to any virtual machine anywhere.
Installing a new appliance in a data centre or branch office can take days if not weeks. The hardware must be delivered in the first instance. Secondly, it must be pre-staged and then shipped to its eventual destination. It is often the case that the person performing the initial configuration or pre-staging is not the same person performing the physical installation. This can raise several issues. Most notably, changes in physical topography can render the pre-staged configuration obsolete. Also, it is often the case that the configuration must be performed by a specialist. This means that the physical appliance must be installed at the data centre prior to the arrival of the specialist. It is possible to streamline this in large data centers but it is still cumbersome and generally not available to smaller organizations.
By way of contrast, utilizing a virtual server application such as VMware decouples the server deployment and the deployment of one or more virtual appliances. Often in the case of a branch office, the server is deployed by the hardware provider and is up and running almost immediately. Virtual appliances can be deployed as soon as they become available. Any specialist knowledge can be applied without the need for scheduling. No issues arise from the physical topology as little or no change is required.
Being able to deploy a new webfiltering appliance such as WebTitan simply by attaching the image to the virtual server application (such as VMware) allows an organization to bring up the new security system in a matter of minutes instead of hours or even days.
Redundancy and Backup
It is essential in this day and age, that organizations plan for the possibility of disaster. This is essential regardless of the size of the organization. In fact, it could be considered to be more important for smaller organizations as large companies have significant resources to specifically deal with redundancy, backup and disaster recovery. In contrast, smaller companies will often struggle with maintaining offsite backups for the different appliances deployed. Often, each appliance will have its own backup schema making automation difficult if not impossible and requiring specialist knowledge by the person tasked with maintaining backups.
A virtual appliance encapsulates all of the required “bits” for that server in an image file. It is possible to back up the image file on a nightly basis and to automatically copy the image to an off-site facility using the Internet. As the appliances within the organization become virtual, the mechanism for backing them up becomes standard across all appliances. Eventually, an automated task can perform the backup operation for all of the virtual images. In the event of a disaster, the image can be redeployed and the only loss to the organization will be the data produced since the last backup, which will often be inconsequential. By using virtual server images, the organization can even redeploy its server pool without needing to replace much hardware. Several companies offer a “hot standby” site which can be tailored to virtual server images, allowing staff to resume work almost immediately.
It is also far easier to manage duplicated server applications using virtual servers. If the organization has five or six server applications such as an email security gateway, web content filter gateway, CRM application and so on, replicating these applications can require five or six additional appliances. Using virtual servers, it is possible to replicate all of the server applications with as few as two physical systems.
Redundancy can also be a core requirement when an organization is geographically dispersed. Each branch office will require its own email security server, domain server and so on. Generally, distributing the applications to each of the remote offices will require a different appliance for each application. Virtualization is almost essential in this case as it allows each branch office to deploy a single hardware system with multiple virtual appliances instead of multiple physical appliances. The head office administrator can thus spread the virtual appliance suite based on each appliance and based on demand rather than on geography. New servers can be deployed and load-balanced with virtual machines at each outpost based purely on real time requirements.
Backing up a virtual image is relatively straightforward in comparison to backing up a live system disk. Being able to represent the entire system as a virtual image has many advantages, particularly in terms of nightly backups or in the event of a restore from archive. Should a given system fail, which is not at all unusual, the images which were backed up can be immediately redeployed on another virtual machine with little or no down-time. Another virtual server can be quickly instantiated with the saved image. By using virtual appliances, the availability of the system can be maintained without the need for expensive, redundant appliances or systems. Once the server has been repaired or replaced, the virtual machines can again be migrated off the temporary server with the minimum of fuss or down-time. Take for example the case where the branch office is in Hawaii and the head office is in San Francisco. If the server in Hawaii breaks down, the administrator in head office can relocate the virtual appliance images to another server, possibly even in another location such as the LA office. He or she can also arrange for a local supplier to provide a new server to the Hawaii office or to repair the existing server. Once the server is once again available, the virtual appliance image can be migrated back to the Hawaiian office again with no down-time and no expensive travel time.
Scalability and Mobility
Organizations generally grow in size. However, they can also shift laterally with personnel from one department being redeployed to another department. This kind of growth can create considerable scalability headaches for the IT department. Effectively, demand for a particular server, such as the email security appliance, can grow dramatically overnight. Other influences, such as an increase in email due to a promotional activity, or a sharp increase in spam due to certain spamming campaigns, can also increase the load on a given appliance. The ability to be able to increase the physical characteristics of the platform or migrate an appliance from one server to another larger one, provides a fast and effective mechanism for dealing with demand.
Attempting to prebuild this type of architecture using only physical appliances can create considerable space and cost difficulties as it requires that the organization plan for the largest throughput and build it out accordingly. This also leaves no possibility to handle peak demand in a more rational way, by having additional capacity which can be deployed for specific tasks. For example, it may be that a given company has a large web site promotion which is due to come to an end. In addition, the result of the campaign has resulted in a significant increase in email messages received. As the number of “hits” on the website starts to fall off, spare capacity can be redeployed to deal with the additional volume of inbound email by reconfiguring the virtual appliances or by creating additional instances of the email security appliance and removing instances of the web site. The ability to be able to lift an application from one virtual machine and deploy it on another provides a powerful framework for rolling out services across the organization. As the head count grows, new virtual machines can be nstantiated and the number of virtual machines driving a specific application can be increased to meet the demand. Likewise, reduced demand for certain applications can be addressed by removing the image from one or more virtual machines, freeing up these resources for other applications. From a geographic perspective, new applications can be deployed at remote sites simply by copying the virtual image to the server or servers at the remote site.
When a specific server needs to be taken offline for whatever reason, the virtual images executing on that server can be migrated to a new virtual machine without issues of platform version or operating system version.
Mobility is absolutely essential for the proper operation of an application group. It can be next to impossible to move a running user base from one physical appliance to another without significant down-time. In the case of mail anti-spam appliances, user configuration must be migrated, along with live mail data and quarantine files, black lists, white lists, and other elements of the configuration. For a large group of users, these characteristics are changing in a non-deterministic way and at an alarming frequency. Small companies and large alike will often schedule appliance transitions months in advance. The new appliance will be deployed for a month or two while the administrator tries to find a window to migrate the user base. For most companies, these windows fall on weekends when demand is low. However, many organizations find it difficult to find quiet periods even on weekends. Again, mail is a good example. Users will often check their email on the road, from home, and even on vacation. The unavailability of the mail system for even two days across a weekend can be problematic. Removing the mail security appliance from the picture can result in clogged mailboxes in a matter of hours.
Mobility is a difficult problem to solve. Most often, the solution is to duplicate the data sets on the old server and the new server over a period of time. Mailboxes must be migrated in their entirety, including any hidden extras such as personal blacklists, personal whitelists, filter rules and so on. Sometimes the application will provide tools for exporting and importing the data sets, but again this can raise issues unless the new appliance has an identical release of the mail software or at least a mechanism for realigning the data sets between versions.
Being able to encapsulate the entire webfiltering appliance into a single image makes mobility and scalability a relatively trivial exercise. The image is simply “removed” from the old virtual server and redeployed on the new one. Within minutes, the user community is accessing their email on the new server using the same password and same features as always.
Appliances have, without a doubt, made an important impact into how organizations manage their application pools. They have allowed administrators to migrate from a strategy of one large server in the corner, to multiple servers. One for each application. Monolithic servers have gone the same way as monolithic computers. Today, in a networked environment, interconnectivity is the essential ingredient. The systems are distributed based on load and based on geography.
Virtual servers bring this type of distributed computing to a new height. The ability to move applications between servers, either those co-located in head office or in the data centre, or those distributed throughout the branch offices, has become a key business requirement. With disaster recovery preying on the peaceful sleep of most business executives, the ability to quickly redeploy an application moments after its host server has failed solves many critical business issues.
Unquestionably, the new frontier of application deployment is that of the virtual server, where the physical hardware no longer sets the pace. Instead, the virtual machine provides a pliable, portable environment for all kinds of applications in all kinds of locations.