Os exemplos de aplicações que fazem sentido com appliances de rede ...

                        Virtual network appliances: Benefits and drawbacks

There's lots of talk about network virtualization benefits, but are virtual network appliances all they're cracked up to be? Only in some scenarios.
Network virtualization benefits can be plentiful, but only in certain scenarios. Learn where virtual network appliances can work -- and where they can't.
If virtualization enables servers to be spun up and down on demand for cost efficiency and agility, wouldn't it make sense to implement virtual network components too? After all, virtual servers need to communicate inbound and outbound and still be firewall-protected and load balanced. That would seem to be best addressed by virtual network appliances that can be spun-up on demand, right? Only in some scenarios.
Many networking vendors have already begun to minimize development cost by using Intel-based platforms and commodity hardware. Examples of this range from the Cisco ASA firewall to F5 load balancers and Vyatta routers. The obvious next step for some of these vendors has been to offer their products in virtual appliance packaging. F5 took a small step forward with the Local Traffic Manager - Virtual Edition (LTM VE), while Vyatta claims to offer a full range of virtual appliance solutions. VMware was somewhat late to the game, but it also offers virtualized firewalls (vShield Zones and vShield App) and routers/load balancers (vShield Edge).


                        Virtual network appliances: What's the catch?

The problem is that unlike servers, networking appliances commonly perform I/O-intensive tasks, moving large amounts of data between network interfaces with minimal additional processing, relying heavily on dedicated hardware. All high-speed routing and packet forwarding, as well as encryption (both IPsec and SSL) and load balancing, rely on dedicated silicon. When a networking appliance is repackaged into a virtual machine format, the dedicated hardware is gone, and all these tasks must now be performed by the general- purpose CPU, sometimes resulting in extreme reduction in performance.

Implementing routers, switches or firewalls in a virtual appliance would just burn the CPU cycles that could be better used elsewhere -- unless, of course, you’ve over-provisioned your servers and have plenty of idle CPU cycles, in which case something has gone seriously wrong with your planning.

To make matters worse, the hypervisor software used in server virtualization solutions also virtualizes the network interfaces. That means that every I/O access path to virtualized hardware from the networking appliance results in a context switch to higher privilege software (the hypervisor), which uses numerous CPU cycles to decode what needs to be done and emulate the desired action. Also, data passed between virtual machines must be copied between their address spaces, adding further latency to the process.

There is some help in that the VMware hypervisor has the DVFilter API, which allows a loadable kernel module to inspect and modify network traffic either within the hypervisor (vNetwork Data Path Agent) or in combination with a virtual machine (vNetwork Control Path Agent). The loadable kernel module significantly reduces the VM context switching overhead.


                        Where virtual network appliances can work?

There are some use cases in which virtual network appliances make perfect sense. For instance, you could virtualize an appliance that performs lots of CPU-intensive processing with no reliance on dedicated hardware. Web application firewalls (WAFs) and complex load balancers are perfect examples (no wonder they’re commonly implemented as loadable modules in Apache Web servers or as Squid reverse proxy servers).
Also, if you’re planning to roll out multi-tenant cloud, the flexibility gained by treating networking appliances as click-to-deploy Lego bricks might more than justify the subpar performance. This is especially so if you charge your users by their actual VM/CPU usage, in which case you don’t really care how much CPU they’re using.
Virtualized networking also makes sense when firewall and routing functions are implemented as part of the virtual switch in each hypervisor. This could result in optimal traffic flow between virtual machines (regardless of whether they belong to the same IP subnet or not) and solve the problem of traffic trombones. Unfortunately, it seems that Cisco is still the only vendor that extends the VMware hypervisor switch using the Virtual Ethernet Module (VEM) functionality. While numerous security solutions already deploy the VMsafe APIs, the networking appliances I’ve seen so far (including the vShield Edge from VMware) rely on virtual machines to forward traffic between virtual (or physical) LANs.
Obviously the networking vendors have a very long way to go before reaching the true potential of virtualized networking.

                          Disponível em: http://searchnetworking.techtarget.com/tip/Virtual-network-appliances-Benefits-and- drawbacks
                                                                              Search Networking - Tech Target - Texto de Ivan Pepelnjak (Março de 2011)