This article is more than 1 year old

ESXi-on-Arm is real and VMware will use it to run networks, storage, and security on SmartNICs

Even third-party software could run there one day, managed by vSphere

VMworld VMware has, as The Register predicted, revealed plans to make the Arm-enabled cut of its ESXi hypervisor a proper product and will run it on SmartNICs in an attempt to better serve demanding applications and bring even bare-metal servers under its umbrella.

Announced today ahead of the annual VMworld conference as "Project Monterey", the hypervisor is now a "technology preview", but multiple VMware execs have told us the company is fully committed to the project and will use it to push change in data centre architectures.

VMware's plan is to use its Cloud Foundation bundle of vSphere, NSX and VSAN, and treat SmartNICs as if they were any other host. The NSX and VSAN network and storage virtualization will become workloads that run in SmartNICs, if you want to run them that way. Using SmartNICs for storage and networking means host servers' CPUS won't have to handle networking and storage chores.

ESXi on Arm logo

VMware drops hints that ESXi on Arm is about to become a proper product


Virtzilla reckons this constitutes "disaggregation of the server". Whatever you call it, VMware said it will allow further abstraction of hardware to "enable an application running on one physical server to consume hardware accelerator resources such as FPGAs from other physical servers".

"This will also enable physical resources to be dynamically accessed based on policy or via software API, tailored to the needs of the application." It may even happen automatically: an application could tell VMware's infrastructure layer what it wants to run on and Cloud Foundation will go off and assemble an appropriate virtual server.

Working with SmartNICs also gives VMware a way to extend its management tools to bare-metal servers, which won't have their resources shared or virtualized but will effectively become part of a private cloud because their SmartNICs will impose policies set in vSphere and Cloud Foundation.

And those policies could be very granular. VMware has imagined that SmartNICs could run firewalls tuned to the needs of each application on a host, resulting in "up to thousands of tiny firewalls" that can be "deployed and automatically tuned to protect the particular services that make up the application". And with VMware super-keen on containers, this could mean a SmartNIC becomes the place to run distributed firewalls.

VMware wouldn't say when any of this will go on sale, but is inviting customers to play. So clearly there's not-too-shabby code ready to be experimented with.

The Register has also learned that VMware will, in time, be happy to have third-party apps run on SmartNICs. Just as today a software firewall could run as a VM on a server, VMware foresees a time when you choose to run your preferred firewall or other app on a SmartNIC once developers come to the party.

Hardware companies are already aboard: SmartNICs from Intel, NVIDIA and Pensando will be part of Project Monterey, while Dell, HPE and Lenovo will offer "integrated systems" for the project. Note the presence of Intel on the SmartNIC list because some of Chipzilla's FPGAs use Arm cores, not its own x86 architecture.

So much security

For the last couple of years VMware has given the security industry a kicking, suggesting that it's too hard to set up a security baseline because organisations need multiple overlapping products to do the job.

VMware's preferred approach is using policy so that infrastructure layers don't let unknown traffic or code anywhere near applications or data as an alternative.

That plan has relied on micro-segmentation driven by NSX, whitelists and a distributed firewall. Now the company has made the vSphere client the tool with which to drive a new product – VMware Carbon Black Cloud Workload – that lets users define security policies and apply them to workloads across multiple clouds and on-premises infrastructure.


Meet the ‘DPU’ – accelerated network cards designed to go where CPUs and GPUs can’t be bothered


Security-centric bundles around VMware's end-user computing products have also landed. Dubbed a "Secure Access Service Edge" (SASE), this effort bundles VMware's SD-WAN, NSX Firewall and WorkspaceONE as a cloud service. The result is the ability to control where an end user's traffic flows, firewall it, and provide access control to apps and data. VMware lacks a cloud access service broker (CASB) so the new VMware Cloud Web Security service will integrate Menlo Security's secure web gateway and CASB, and also turn to the vendor for browser isolation.

There's also a new bundle of VMware's desktop virtualization (VDI) tools and Carbon Black, aimed at the many organisations that have suddenly found themselves doing rather more VDI than they imagined.

The Tanzu container-wrangling portfolio was VMware's big reveal at 2019's VMworld. This year it got its first presence in the VMware-on-AWS service. It has also struck a deal with GitLab to have its tools drive Tanzu for the sake of familiarity.

Analysis: More of the same, and that's no bad thing

All of the above is essentially more of the same from VMware, which aims to let any workload run anywhere you fancy it.

Even on Arm cores now – albeit not in an Arm-powered server.

This year's announcements also signal that VMware continues to evolve its core compute platform, which just a few years ago it predicted was in long-term decline. The company was proven wrong as service providers saw value in VMware-powered clouds. Now the company has a whole new platform to target.

It will be a while before we see how it works, and when it is worth using. And the licensing arrangements may be as interesting as that technology! ®

More about

More about

More about


Send us news

Other stories you might like