Feeds

Leave nothing behind when migrating virtual machines

Ensuring a smooth move

Combat fraud and increase customer satisfaction

We migrate virtual machines (VMs) for all sorts of reasons: to load balance our physical hosts, say, or to offload a server so it can be taken offline for maintenance, or because the original host has failed. But in every case we want no interruption to the VM's operation, or at least as little interruption as possible.

That means its network resources need to move with it so that when it lands on a target physical server it can immediately start processing data and moving it across the network.

Much of that is taken care of by the hypervisor and the migration tools, according to Jon Cairns, director of systems engineering for northern Europe at VMware.

“You do need the ESX hosts to be on the same subnet to ensure connections are maintained,” he says.

Double vision

He adds that to move a VM, you also need networked storage that both hosts can see, as it is only the image in memory, not the data, that moves. And it needs a fast interconnect – ideally a second network.

“VMotion starts with a pre-copy in the background. The VM is still accessible as normal but the software is doing a dynamic page copy. Then eventually it suspends the VM for a split-second, does a final copy and restarts it on the new host,” he says.

“VMotion manages the virtual MAC address, and when the memory copy is complete and the VM comes up, it pings the router to ensure the new host is recognised. Everything configured within the VM should go with it.”

Paul Martin, systems engineering manager EMEA for VM replication specialist Quest Software, says the same-subnet requirement can be a problem.

Play your cards

For example, if the reason for moving a VM is fail-over, it may not be an option to run both hosts on the same site or subnet. In this case one option is dual virtual network interface cards (NICs) within the VM, either using Powershell to automate NIC failover, or editing the VM by hand.

“Other customers use NAT [network address translation] to get round the problem of different subnets,” he says.

However, there are also network layer factors that are external to the VM. For example, the source and target hosts may also need to be on the same virtual LAN (VLAN), which can limit the reach of your migration capabilities.

A solution for some is bridged VLANs, says Martin. But he adds: “That doesn't work for everyone, as not every environment can cope with it.”

And as Ken Duda, vice-president of software engineering at switch developer Arista Networks, notes: “You don't want to carry every VLAN everywhere. So the 802.1Q trunk needs to be able to dynamically modify a VLAN in response to say a VM migration. But how do you do that?”

By hook or by crook

Arista's solution was provide the hooks in its Eos operating system so its software partners can use their management tools to tie VLANs to key places.

“The VMware tracer talks to the network management and automatically provides the VLAN connection rack to rack,” Duda says.

Other vendors use port profiles to achieve something similar. Port profiles allow you to configure an interface to a particular role on the network, for example by applying access control lists, attaching VLANs, setting up broadcast limits, and so on.

They can be used to push out the same configuration to multiple interfaces, and because they can be applied to physical or virtual interfaces they are also a useful way to set up ports on softswitches for VMs.

The challenge with VMs is that, since they are no longer tied to a physical interface, they are also not tied to a switch port. But when you move a VM, the softswitch in the new server must have the same policies, VLANs and security settings as the old one, otherwise the migration will fail. Port profiles let you edit the new switch to match the old one.

“You throw it into the cloud which then manages where it runs”

Yet however you manage your switch reconfiguration, it adds complexity and administration time and requires the server and network admins to co-ordinate their work. Network vendors and software developers are looking for ways to move port profiles automatically, so that they follow the VMs that need them.

Johan Ragmo, data business development manager for northern Europe at Alcatel-Lucent Enterprise, says this is one of the many jobs for the management layer within a data centre or private cloud that take care of VM migration, load balancing and so on.

“You need to build a virtual network profile, taking account of quality of service and so on, that's managed in software with the virtualisation manager,” he says.

Follow the leader

Cairns agrees. “The long-term concept is that each VM will carry with it a set of policies, such as security level, availability and so on, and you throw it into the cloud which then manages where it runs. Underneath that, a foundation layer ensures adherence,” he says.

Brocade's Simon Pamplin says this is why Brocade developed automatic migration of port profiles (AMPP). It is part of Brocade's Virtual Cluster Switching technology, which enables a migrating VM’s network profile to follow it automatically.

“If you want to move a virtual image, setting up its port profile is a headache,” Pamplin says. “AMPP presets the destination port with the correct settings.”

The message is that, for the moment at least, a VM migration should be seamless – within certain boundaries. The area within those boundaries is constantly growing, but as a server admin it is always wise to know where the VM boundaries currently lie. ®

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.