Analysis About a decade ago hyperscale clouds realized that they couldn’t rent all the colors in their servers because some of them were doing boring work needed to make secure multitenancy possible. So they offloaded that work into network interface controllers imbued with some modest computing capacity – devices known as SmartNICs or Data Processing Units (DPUs).
VMware noticed DPUs and figured they could be handy in mainstream datacenters. Last week VMware made it possible for many organizations to deploy DPUS with the debut of vSphere 8, which allows a cut of its hypervisor to run inside the DPU along with a distributed switch and some observability tools.
VMware claims vSphere 8 and DPUs can free up to 20 percent of a server CPU’s cores to run applications, not admin chores.
It’s also possible to run VMware’s own distributed East-West firewall on a DPU, and the company thinks that’s a useful way to improve security. The virtualization giant argues that firewalls are mostly deployed in the DMZ and do a fine job… until something gets through. At that point, VMware worries all the infrastructure within the perimeter is vulnerable.
Firewalling all VM-to-VM comms from a DPU therefore gives users the chance to inspect more traffic more often, and nip nasties in the bud, instead of waiting for traffic to reach a big firewall further from the action.
This is all made possible by the fact that the firewall runs as a VM on a DPU. VMware has coded its firewall to take advantage of the privileged position it enjoys running inside a hypervisor tuned for that DPU.
VMware tells it, adding DPUs to servers therefore gives you both more power and better security.
The virty giant claims it has even packaged this so that any vSphere 8 user can deploy the firewall and let DPUs free some server CPU cores without having to do much more than a vanilla install. Nor do users need a large fleet of boxes to make this worthwhile. I’ve been told that the East-West firewall and other DPU fun can be enjoyed by users who employ a small hyperconverged infrastructure rig.
DPUs cost about $2,000 apiece. VMware is already arguing they’re a no-brainer in addition to a $20,000 server given the resources they’ll free.
With vSphere 6.7 soon to reach end of life, VMware and its server-making pals will surely suggest users to upgrade both their software and servers, embrace DPUs, and smile all the way to the bank.
That’s a nice scenario for the 300,000-odd vSphere users out there.
But for the rest of us, the DPU currently offers… very little.
In conversations with VMware execs at the company’s Explore conference last week, I asked what DPUs mean for organizations that prefer to work with established firewall vendors.
VMware exec has acknowledged no immediate day that such vendors might one want to run on DPUs managed by vSphere, but VMware plans to help them make that happen because it believes its own firewall and its privileged integration with the hypervisor represents an engineering advantage that means it has the East-West market to itself.
So good luck if your preferred firewall is supplied by another vendor. Or if you fancy putting a DPU to work for VMware purposes has not yet enabled or envisioned. Virtzilla in its current mood doesn’t want to help.
Which is a little odd as VMware built its franchise by ensuring that complementary technologies would find a home in a VM-centric and private cloud world. The storage industry and VMware worked together to mutual advantage for years. VMware also ensured that any workload you could imagine could be virtualized – even when the likes of Oracle or Microsoft (with Exchange) weren’t keen on the idea.
But with DPUs, VMware is working only with a select group of server-makers and DPU vendors, and no third-party software houses.
Which again is odd because one of the more notable makers of DPUs is a little outfit called Cisco, which suggests you adopt DPUs for the same reasons as VMware as part of its quiet acquiescence to software-defined networking.
But Cisco also offers an SDK to allow development of workloads to run on its DPUs. Hopefully it’s useful to many.
The mere existence of that SDK shows how the DPU market is far from fully formed. VMware has made a move, but it’s deliberately isolated itself out of self-interest. And it is far from clear that the company will expand its ambitions, or that anyone other than its current partners – Intel, Nvidia, and AMD – will buy in to its vision or be allowed in to play.
Meanwhile, plenty of big software players who could benefit from DPUs are yet to offer a peep about them in public.
Recent history suggests VMware’s stance is risky: Intel tried tying its Optane storage-class memory to its own processors, the software industry mostly shrugged, and Optane became non-viable despite being a worthy innovation.
And even as DPUs emerge as an option, other innovations like computational storage and pooled memory also promise to improve data center operations. It’s far from clear how, or if, they’ll interoperate with DPUs.
For now VMware has built something clever for its customers. But once others deploy DPUs with their products, the market for the devices will be clouded, not clarified. And that benefits nobody. ®