This article is more than 1 year old

It's over? Pat Gelsinger's post vSphere VMware NSX-T opportunity

Software-defined networking? Time for an open relationship

Sysadmin Blog VMware has recently announced its financial results for 2016, and for a company that's not just satured but that leads the VM market, it had a very good year.

Some of this is attributed to accepting that VMware can't beat AWS, so it might as well join them. But VMware's NSX Network Virtualization arguably led the way, doubling customer and hitting a $1bn/year run rate.

VMware CEO Pat Gelsinger reckoned NSX is now mainstream and something customers buy it for one thing and then find themselves using more widely.

Looking to the future, NSX – most notably in the form of NSX-T seems likely to reshape the virty incumbent VMware entirely.

Understanding the impact of NSX on VMware requires putting aside the green-tinted glasses for a moment. The Palo-Alto cheer team needs to stand down and a discussion about some things true believers and marketing people don't want discussed, but which are nonetheless important truths.

This first uncomfortable item is that Xen and KVM are a threat to VMware. Given that VMware's ESXi is unquestionably the dominant hypervisor for on-premises deployments, this might seem counterintuitive, but it's true.

Xen-peddlers Citrix and Oracle have managed to carve out comfortable niches for their products. Citrix is always at the table for any discussion of a VDI deployment, and Oracle leverages its database lock-in to get OracleVM in the door.

KVM keeps turning up in unexpected places too. Red Hat and Canonical push KVM with some limited success amongst organizations of all sizes, and Nutanix has managed to find some wins with their Acropolis variant in the enterprise. Scale Computing is doing quite well amongst the SMB and mid-market with their variant of KVM and there are dozens of OpenStack and OpenNebula startups targeting companies of all sizes, many of which are racking up wins.

There are even companies like Yottabyte or Stratoscale, which offer their own KVM-based cloud-in-a-can that isn't based on OpenStack or OpenNebula. These companies are trying to turn entire data centres into turnkey appliances. While they don't have a huge market share today, they're offering options.

It's the existence of those options – big and small – that are the threat. (Hyper-V is an option too, but it expanded to fill the niche of those firmly dedicated to all things Microsoft and then stopped, so the threat is questionable.) They also present VMware with the opportunity to reinvent itself.

Learning from history

Once upon a time, Microsoft crushed its enemies with ruthless abandon and ruled IT with an iron fist. There was the Microsoft ecosystem and there was the Not Microsoft ecosystem. Infighting between Microsoft's rivals – carefully egged on by Microsoft – ensured that the its various opponents never rose to challenge it. By hook and by crook Microsoft upended how we thought about computing and turned that into an empire.

Even VMware, when it rose to power, did so in large part because x86 virtualization offered organizations the means to more efficiently manage Microsoft environments and make up for the many and varied deficiencies in Windows' design. That we could also do server consolidation for Not Microsoft was a nice bonus, but VMware was primarily an adjunct component of Microsoft's empire.

Along came Amazon. Amazon ended Microsoft's dominance by completely changing the rules of the game. Before Microsoft had even figured out what had happened, Amazon's AWS had stolen a technological lead that it would maintain for a decade. Amazon also began a revolution in how everyone – from nerds to ordinary people – think about computing. They became the dominant force in our industry by upending how we do almost everything.

The technology world of 2017 is broken down into Amazon and Not Amazon. Amazon will remain dominant until either someone can engineer a technological revolution so complete that it fundamentally alters how we conceive of computing, or until Not Amazon decides to start working together to challenge Amazon.

An on-premises data centre landscape that is fractured into VMware, Microsoft, and dozens of viable, hungry and increasingly capable competitors is exactly the sort of chaotic mess that will keep Not Amazon from ever being a real threat to Amazon.

A chance to change

A year ago, VMware admitted that its flagship hypervisor product line was mature. Rapid feature iteration and sales growth were both going to slow. Such is the way of things in tech. This admission, however, opens the door for a critical change at VMware.

To date, VMware has been a company that reacts badly to aggressive competition. Recently it went so far as to force the supposedly arm's length VMUG user group into a cowardly expulsion of Nutanix. This is only the latest in a series of moves that show VMware's culture to be one that is paranoid about competitors and obsessed with lock-in.

That ESXi is no longer the driver of growth for VMware gives it the opportunity to change. New groups within the company are now the drivers of growth, and their path to success lies not in lock-in, but in rallying the on-premises vendors to one banner and continuing to present a real challenge to Amazon.


NSX can be thought of as a hypervisor for networks. It is all about segmenting off workloads (or groups of workloads) and providing layers of security for them. Today, NSX offers some limited network security, but with the right ecosystem partners the security offered can advance exponentially.

The one problem no tech titan has been able to offer a viable solution for to date is IT security. There are plenty of companies out there peddling some solution or other that might solve some piece of the puzzle, but they are ultimately all crap. They're too narrow in scope, or too hard to use. They're too expensive, or they don't interoperate with one another.

This is VMware's opportunity. NSX can become the framework upon which a radical new approach to security is built. To date, NSX has been focused solely on VMware's own ecosystem, but NSX-T's is focused on bringing NSX to multiple hypervisors and even to public clouds.

The currently revealed NSX-T vision sees NSX-T being brought to VMware's vSphere, KVM, Openstack, Kubernetes, Docker and the public clouds. It was designed to be extensible and could be brought to additional ecosystems as well.

VMware's chance for gold

This is VMware's chance. Right here, right now, VMware has the opportunity to fundamentally change how we think about computing. When it comes to IT security, there's Bad Guys and Not Bad Guys. Which group do you think is fractured, doesn't cooperate and isn't about to challenge the dominant power any time soon?

VMware has already missed the opportunity to build an Infrastructure Endgame Machine and win the title of unchallenged ruler of the on-premises data centre. Now there are now many players in this space and no chance it can be locked up. The on-premises data centre can no longer be captured or locked in.

NSX, however, could form the basis for a next generation desired state enforcement system, automated intrusion detection, a framework to hang automated patch testing off of and more. This is possible because NSX provides a new way of looking at security.

Traditionally, we have looked at security as simply patching operating systems and applications or trying to harden the edge of a network. This is no longer enough. Worse, it tends to require a "pets" approach to security, where each defence point is carefully maintained by a human.

The truth is, there's too much going on for humans to handle security any more. We need to take a far more automated approach. Some of this involves segmenting workloads by limiting communication between them – which NSX is already very good at – and some of this will involve building intelligence into the network to detect abnormalities, which is only possible if you are the network in a very real way.

NSX is extensible and could be grown into a product where there was a form of "security app store", with different bits of third party intelligence hanging off NSX adding to the capabilities. Some of this could be analytics running against statistics or stream captures. Some of this could be third party network functions, VMs or containers forming enhanced security at the edges of network segments.

Still more could be done wherein VMware provides a framework for application and operating system developers to accomplish automated testing. Expected traffic profiles could be shipped with applications and loaded into NSX. Real traffic can be analysed for deviations, helping to identify intrusions or even errors caused by patches. I would probably need a week just to sketch out all my ideas, and yes it represents fundamental change in how we think about security, but the core of the technology is there, and VMware owns it.

VMware has the market share through vSphere, the bright minds, the marketing apparatus, the partnership system and the industry credibility to become the Amazon of IT security. To get there, VMware needs to overcome its own culture.

It needs to move beyond its natural paranoia of competitors, abandon lock-in and embrace standards. We'll know shortly if it's able to do so, or if it will choose to spend the next decade as merely an adjunct component of Amazon's empire. ®

More about


Send us news

Other stories you might like