Network Functions Platforms ‘Under the Hood’
The Old And New Worlds
We’ve posted previously about how our AVX Series Network Functions Platforms are part of the next big step in networking, similar to the changes brought about by the advent of the smartphone in our personal and business lives. Like smartphones, the Network Functions Platforms bring three important changes – consolidation, convenience, and workflow enhancement – to networking and security. The old days of dedicated, single-function networking or security appliances dominating the data center are fading away, much as the flip phone has.
Just as smartphones support multiple apps like GPS, weather, camera and more, the Network Functions Platforms can consolidate multiple dedicated appliances (like ADCs, FW/NGFWs, WAFs and others) into just a 1U or 2U platform. This capability consolidates the infrastructure and increases efficiency and return on investment.
The platforms replace the large footprint of the traditional networking appliances with a smaller number of agile platforms that consume far less space, power, cooling and cabling costs. Network Functions Platforms allow IT teams to flexibly support the diverse needs of multiple departments, partners, customers and other communities of interest.
Even more importantly, the Network Functions Platforms enable future proofing, because almost any desired networking or security functionality can be added in the future, much like downloading new apps onto a smartphone.
Under The Hood
To go a bit further under the hood, Array’s multitenant platform supports network functions from Array, like virtual application delivery controllers and SSL VPNs, but third-party and open-source virtual appliances are also supported if they can run on KVM, Ubuntu or CentOS. And the AVX Series provides guaranteed performance in a shared environment, a capability that is lacking in traditional virtual environments.
The platform is architected to extend Array’s virtualization technology all the way down to the hardware level. It reserves dedicated resources for each virtual network function, and includes the unique ability to partition resources including CPU, hardware SSL resources, network interfaces and memory. With this type of resource allocation and reservation, you can achieve performance with virtual appliances that equals or is sometimes even greater than that of standalone, dedicated hardware appliances.
For ease of use, the AVX platform offers four standard instance sizes: large, medium, small and entry-level. This is similar to selecting an instance size on AWS or Azure, for example. Each instance size provides a set amount of system resources. So if you wanted to run a virtual ADC instance, and specify a large instance size, automatically the number of CPU resources will be allocated, as well as the amount of hardware SSL resources, number of network interfaces and the amount of memory.
This automatic allocation means that you’re able to deploy in minutes, not weeks or months.
Hardware and Software Resource Layers
Further under the hood, in the diagram below there are multiple layers:
As shown in the diagram, the NIC layer sits at the bottom and offers 1GE, 10GE, or 40GE connectivity to the external world.
RAM and hard disks comprise the memory and storage layer.
The latest–generation, high-density multi-core crypto processors provide the SSL layer. This layer enables high-capacity SSL encryption, decryption, offload and inspection capabilities.
The CPU layer consists of the latest Intel Xeon processors, and provides compute capacity.
The top layer is the Array operating system which does much of the heavy lifting. The multi-threaded ArrayOS includes the KVM virtualization layer, upon which virtual appliances run. The ArrayOS has several critical innovations such as no-lock scheduling, SR-IOV, DPDK, NUMA boundary, CPU pinning, and zero-copy optimizations. ArrayOS also includes an automation component that relieves IT staff of the tedious and error-prone tasks related to the virtual appliance lifecycle.
When a specific instance size is selected, for example a medium instance (Virtual Appliance 1 as shown at left), the Array OS automatically assigns CPU, memory, SSL and I/O resources. It also automates the SR-IOV provisioning, CPU pinning and NUMA boundary settings, as well as the physical-to-virtual port mapping.
If a different size instance is selected, the Array OS automatically assigns resources and performs the underlying setup (SR-IOV, CPU pinning, NUMA boundaries, etc.) as specified for that particular instance size.
How is This Architecture Unique?
The unique architecture of Array’s AVX Series network functions platform provides significant advantages compared to a commercial off the shelf (COTS) server.
A COTS server employs a shared PCIe bus architecture that causes significant resource contention for networking and security workloads. In addition, constant kernel interrupts slow down the packet processing capabilities, thereby reducing the overall system performance and scalability. This is similar to a road that gets severely congested when a large number of vehicles tries to go in different directions at the same time.
By contrast, the dedicated resource architecture of Array’s AVX Series ensures that every virtual appliance has dedicated I/O resources using SR-IOV. The architecture enforces strict Physical Function (PF) to Virtual Function (VF) boundaries, and minimizes kernel interrupts, resulting in improved performance and scale. This is similar to drag racing tracks where cars run at very high speed in their respective lanes, without affecting others.
Take Steps To Evolve Your Networking And Security
Just as smartphones brought about enormous changes in the way we communicate, work, play, and navigate the world, network functions platforms are changing the way IT deploys, manages and uses networking and security virtual functions. By enabling data center consolidation, by speeding time to deployment, and by enhancing workflows, network functions platforms are bringing revolutionary change to networking.
Get ready for the change with Array Networks!