In a recent post I argued that enterprise IT’s distrust of service provider Infrastructure as a Service (IaaS) is often based on lack of understanding. In particular the unfamiliar nature of the API-centric, services-based architecture of IaaS, by comparison with the concrete feeds+speeds of today’s physical IT world, leaves many IT Pros cold. Of late I’ve found myself using an analogy of buying Pizza in an attempt to highlight the different infrastructural models available in the IaaS world. The key take-away: IaaS is not a one-size fits all set of services, and nor should you want that. You have a rich menu to choose from, and you need to match your appetite to what’s on offer.
There are four kinds of Pizza in the model, shown below.
The “Marhgerita (with add-ons)” cloud offers a set of service abstractions that are powerful due to their simplicity (and therefore easy to understand), with additional services that can be added a-la-carte. None of the services can be changed to meet your needs, but you can combine them at will. But the key requirement is that you must start with the Margherita base pizza, and all pizzas are therefore variations on that theme.
AWS is a good example. The Margherita pizza base is built from three key services: EC2, S3, and EBS. You can also use any of the 15 or so additional powerful service APIs that have spawned a profusion of value-added ISV offerings, including Elastic Map Reduce, Simple DB and RDS – a fabulous implementation of a replicated MySQL database that offers transactional integrity for rollback within a 15 day window. The goal here is not to describe all of the AWS coolery, but to make the point that you have to start with the Margherita pizza, and if that model is not rich enough for your workload, then the add-ons won’t help either. By way of example, to get Citrix XenApp to run in AWS required considerable head scratching and engineering. It’s also fair to say that the leading Margherita cloud vendors are continually evolving the recipe of the Margherita base as they seek to attract a more diverse application set. Until recently, for example, all instances in EC2 were ephemeral – stop the VM and lose all state. It is now possible to boot from EBS volumes, and as the model becomes richer (good summary).
The “Margherita” clouds have limitations and significant benefits:
- While the network virtualization model is simple and consistent, it is also limited. Isolation is based on security zones – think simple IP firewall rules – and your ability to control, manipulate, inspect and direct traffic in your virtual private cloud is very limited. You get a single NIC per instance – so all VMs are by definition edge nodes. You aren’t in control of IP addressing. You cannot install your preferred IDS, IPS, Switch, ROuter, firewall or Application Delivery Controller (ADC) to guarantee security, SLAs or regulatory compliance. This is a significant limitation, but for many newer apps that are architected for the cloud, this model is also sufficiently rich: it’s fine for web based apps, simple Linux/Windows VM deployments, most HPC workloads, and a no-brainer for most test+dev. Moreover, services such as Amazon VPC ensure that all traffic into and out of the cloud is via the enterprise network, enabling you to arbitrarily manage traffic on your enterprise premises, and thereby greatly extend the utility of this model.
- In the domain of storage there are substantial differences that in my view favor the Margherita cloud.
The basic building blocks are a distributed object store and a block store with snapshots. You can add rich database storage, Hadoop-style map-reduce storage, or even caching using technologies like memcached and ehcache. What about storage security? (nice paper) Well, you can encrypt anything you store in the cloud, using privately held keys – and you can be confident that hardware support for cloud storage encryption will be a priority for all vendors. You can even keep your data in your data center, and run your apps in the cloud.
- The key (and significant) missing ingredients in the “Margherita” model are a rich virtual network fabric, audit-ability, granular role based enterprise access controls and other management abstractions, such as regulatory compliance, and an infrastructure model that is rich enough to support a broader set of today’s legacy enterprise apps. Oh, and the trust of enterprise customers, who haven’t yet understood quite how powerful the new infrastructural abstractions are. These things will come – as with all enterprise systems, maturation is a process that takes time.
Is this service better than the enterprise private cloud? If the service abstractions suit your app, certainly. The cost benefits of massive scale, homogeneity and elasticity are compelling for those apps that can take advantage of it.
This, of course, is meant to appeal to you, the would-be owner of a shiny new enterprise private cloud. Ah yes, ego meets cloud… Every one of us wants to think our needs are unique, and so each of us wants to build a superbly hand-crafted cloud (pizza) according to a unique recipe that is carefully matched to the IT needs of our business.
“My workloads demand the best – a gourmet cloud,” the newly appointed Chief Cloud Architect reasons, “so I’ll build the best cloud possible – no expense spared”. But it doesn’t take long before the CIO realizes that even today’s virtual infrastructure is a long way from being a cloud – it lacks multi-tenancy, granular controls for chargeback and SLAs, and while it offers substantial benefits in automating IT, it is far from “self service access to lights-out IT”, which is the real promise of the cloud. Remember, the big public clouds operate with about 1 admin per 10,000 servers, whereas the hand-crafted infrastructures created for mission critical enterprise apps typically run one IT Pro for 50-100 servers.
So the enterprise has to purpose build a cloud infrastructure, which in pizza language means: build a wood-fired pizza oven, chop the wood, light the fire, prepare the dough, dice the toppings and then, on demand (at any time of day), make whatever pizza the corporation’s business groups want, in whatever quantities they want. I hope you get the idea: Owning your own cloud is going to be expensive. You’ll have to purchase all the hardware resources up front so the opportunity to pay-as-you-go evaporates, and while IT Pros love virtual infrastructure, they too are uneasy about the potential loss of control to real clouds.
The enterprise gourmet cloud is likely to be an expensive proposition. You have to buy servers, storage, and networking, heat them up, cool them down again. You probably bought an expensive virtual infrastructure platform and to upgrade it to “cloud” will set you back a lot more. You may be locked into a proprietary stack. My guess is that like many CIOs that I meet, you will find yourself wishing you could rent that shiny new cloud rather than buying it… And so we end up with the next type of Pizza, which to me seems one of the most interesting in terms of near term growth of enterprise private clouds.
The polar opposite of the “Margherita” model is the “Build your Own” public cloud. How can a public provider allow its customers to pick whatever service elements they need? Well, it turns out that the specific expertise of this category of providers is precisely that of allowing customers to build rich, isolated, private enterprise infrastructures. These clouds are the former hosters. “Former” only because now in addition to the well understood co-lo/hosting model, they are now offering elastic resources (either dedicated or shared) as a value-added service. By way of example, let’s look at Carpathia, which counts among its demanding customers various three letter agencies of the US Federal Government. Rack Space is an enterprise focussed cloud, Softlayer has a narrower, mid-market focus, and Savvis is vertically focussed on the financial services market. There are many others.
Building on the well-understood hosting paradigm and the trust of their enterprise customers, this category offers you a menu, from which you get to pick (“Build your Own”) the core infrastructure services that are suited to your apps – for compute, storage, network and security. Your resources are entirely yours, and in addition you have the benefit of granular security controls, continual compliance testing, auditing, AAA and compliance controls and rich enterprise management capabilities, and your resources are housed in military-grade hardened facilities.
So what makes this model more attractive than a private cloud? Well, these providers are attached to the Internet backbone directly (they source and sink a substantial percentage of Internet backbone bandwidth), and therefore offer minimal latency for delivery of your apps to users. Their connectivity makes them a tier one provider of perimeter security – they will stop DoS and other types of attacks well before they hit your resources – and they can offer redundancy of facilities so you are not vulnerable to site or geographical failures.
Security, redundancy, replication, high availability – good enterprise attributes. Now add elasticity of compute and storage, an open selection of hypervisors, and granular control of the degree of isolation and access control, and then add a network model that enables you to instantiate, manage and control rich, enterprise-class network capabilities such as IDS, firewalling, app firewalling, load balancing and app-specific delivery optimizations such as acceleration, offload, access control and PCI compliance – courtesy of Citrix NetScaler. Billed by consumption. Anything missing? Not really.
The “Build your own” public clouds are perfectly situated to offer elastic scalability with pay-as-you-go pricing to today’s enterprise apps, and can meet more demanding requirements for security, redundancy, availability and dynamic scalability than any private cloud you could ever build. And here’s the big win: through an explicit, transparent model that clearly articulates how, when and what resources can be shared with other customers, you get the benefits of isolation, security and SLAs AND also get to reduce the cost of your infrastructure. Sure, you could also build a private cloud that could do all this, but only with an unlimited budget.
The final category represents the managed service providers who host their own complete service offerings. It’s just like buying pizza by the slice, hot and ready to eat. No work required, just bring your appetite. Examples: Managed Desktop Services in which the vendor offers their customer an ability to consume a complete hosted virtual desktop service or applications, disaster recovery as a service, or even managed email. An organization with specific competence in the service both sells and runs the infrastructure for it, combining economies of scale and automation with service-specific expertise and ops skills to deliver a lower cost service with SLAs. Increasingly, traditional integrators and managed service providers are entering the “cloud” space to offer services in this way, and if you would trust a managed service provider to run the service on your premises, there ought to be no reason (subject to regulatory requirements) why you would not let the provider offer the application from their own facilities.
If you made it this far, you’re probably thinking: “What about the Telcos?”. Not traditionally innovators, but trusted today by the enterprise for networking, hosting and much more. These folks, in my view, have a huge advantage because of their scale, connectivity to the enterprise and the ability to make “cloud” just another service that they offer to their customers. Will they invent rich new flavors of pizza? Unlikely. But they will offer, at massive scale and with full enterprise attributes, the most popular kinds of Pizza as managed “clouds”. They may offer a vCloud service, and probably an alternative or two. How rich the menu will be remains to be seen as the market evolves, but they have all the potential to offer “Build your own” services should they see a good opportunity. But for now, I’ll assign this category the moniker “Pepperoni” because (a) it’s not Margherita and (b) it’s the most popular flavor and (c) it’s perhaps an IaaS ready-to-eat sub-category.
I’m aware that I’ve stretched the pizza crust rather thin, but the goal of this piece has been to point out that there is a rich set of service provider offerings available today, that can deliver almost everything the enterprise needs for “cloud”. The “one-size-fits-all” approach of a single vendor proprietary stack spanning enterprise and service provider spells “Expensive Lock-In” of a relatively homogeneous, but not particularly rich set of services.
It is in the interest of every vendor from which you have ever purchased “private cloud” resources to cast aspersions on service provider cloud offerings. As long as you continue to pay up-front for products you may not really need, they win. I urge you to make a commitment to an open, lock-in free, compatible and interoperable cloud agenda, in which you can be protected at every layer of the stack through multi-vendor choice. In this way cloud will continue to drive innovation in IT: The market will do what it does best: make lots of different kinds of pizza!
I look forward to seeing many friends next week in Berlin!