Answer#1: An overlay virtual networking solution providing logical bridging (aka layer-2 forwarding or switching), logical routing (aka layer-3 switching), distributed or centralized firewalls, load balancers, NAT and VPNs.
Answer#2: A merger of Nicira NVP and VMware vCNS (a product formerly known as vShield).
Oh, and did I mention it’s actually two products, not one?
VMware NSX for multi-hypervisor environment is Nicira NVP with ESXi and VXLAN enhancements:
- OVS-in-VM approach has been replaced with an NSX vSwitch within the ESXi kernel;
- VMware NSX supports GRE, STT and VXLAN encapsulation, with VXLAN operating in unicast mode with either source node or service node packet replication. The unicast mode is not compatible with Nexus 1000V VXLAN unicast mode;
- NSX unicast VXLAN implementation will eventually work with third-party VTEPs (there’s usually a slight time gap between a press release and a shipping product) using ovsdb-proto as the control plane.
Apart from that, the feature list closely matches existing Nicira NVP functionality: distributed L2 forwarding, distributed or centralized L2 or L3 forwarding, reflexive VM NIC ACLs, controllers and L2/L3 gateways as physical appliances.
Use cases: OpenStack and CloudStack deployments using Xen, KVM or ESXi hypervisors.
VMware NSX optimized for vSphere is a totally different beast:
- While the overall architecture looks similar to Nicira NVP, it seems there’s no OVS or OpenFlow under the hood.
- Hypervisor virtual switches are based on vDS switches; VXLAN encapsulation, distributed firewalls and distributed layer-3 forwarding are implemented as loadable ESXi kernel module.
- NVP controllers run in virtual machines and are tightly integrated with vCenter through NSX manager (which replaces vShield Manager);
- Distributed layer-3 forwarding uses a central control plane implemented in NSX Edge Distributed Router, which can run BGP, OSPF or IS-IS with the outside (physical) world;
- Another variant of NSX Edge (Services Router) provides centralized L3 forwarding, N/S firewall, load balancing, NAT, and VPN termination;
- Most components support IPv6 (hooray, finally!).
The Nicira NVP roots of NSX are evident. It’s also pretty easy to map how individual NSX components map into vCNS/vShield Edge: NSX Edge Services Router definitely looks like vShield Edge on steroids and the distributed firewall is probably based on vShield App.
Unfortunately, it seems that the goodies from vSphere version of NSX (routing protocols, in-kernel firewall) won’t make it to vCNS 5.5 (but let’s wait and see how the packaging/licensing looks when the products launch).
Does it all make sense?
Sure it does. VMware NSX seems to be a successful blend of two pretty mature products with loads of improvements (some of them badly needed).
Of course we have to wait to see the actual GA product (Nicira NVP aka NSX for multiple hypervisors is shipping, NSX for vSphere is promised for late 2013), but it seems that once all the wrinkles have been ironed out, VMware NSX for vSphere will be the most comprehensible virtual networking product you can get (unfortunately you can’t get your own copy of Amazon VPC).
The only problem I see is the breadth of the offering. VMware has three semi-competing partially overlapping products implementing overlay virtual networks:
- NSX for multi-hypervisor environment using NVP controllers, NVP gateways and OVS (for Linux and ESXi environment);
- NSX for vSphere using NVP controllers, vSphere kernel modules and NSX edge gateways;
- vCNS with vShield App firewall and vShield Edge firewall/load balancer/router.
It will be fun to see how the three products evolve in the future and how the diverging code base will impact feature parity.