Modern cloud virtualization

Image for post
Image for post

When we think about compute resources (AKA virtual machines) in the public cloud, most of us have the same picture in our head — operating system, above hypervisor, deployed above physical hardware.

Most public cloud providers build their infrastructure based on the same architecture.

In this post we will review traditional virtualization, and then explain the benefits of modern cloud virtualization.

Introduction to hypervisors and virtualization technology

To allow the virtual operating systems (AKA “Guest machines”) access to the physical resources, we use a component called a “hypervisor”.

There are two types of hypervisors:

· Type 1 hypervisor — an operating system deployed on physical hardware (“bare metal” machine) and allows guest machines access to the hardware resources.

· Type 2 hypervisor — software within an operating system (AKA “Host operating system”) deployed on physical hardware. The guest machines are installed above the host operating system. The host operating system hypervisor allows guest machines access to the underlying physical resources.

The main drawbacks of current hypervisors:

· There is no full isolation between multiple guest VMs deployed on the same hypervisor and the same host machine. All the network passes through the same physical NIC and same hypervisor network virtualization.

· The more layers we add (either type 1 or type 2 hypervisors), we increase overhead on the host operating system and host hypervisor. This means the guest VMs will not be able to take full advantage of the underlying hardware.

AWS Nitro System

The Nitro architecture, underneath the EC2 instances, made a dramatic change to the way we use hypervisors by offloading virtualization functions (such as network, storage, security, etc.) to dedicated software and hardware chips. This allows the customer to get much better performance, with much better security and isolation of customers’ data.

Hypervisor prior to AWS Nitro:

Image for post
Image for post

Hypervisor based on AWS Nitro:

Image for post
Image for post

The Nitro architecture is based on Nitro cards:

· Nitro card for VPC — handles network connectivity to the customer’s VPC, and fast network connectivity using ENA (Elastic Network Adapter) controller

· Nitro card for EBS — allows access to the Elastic Block Storage service

· Nitro card for instance storage — allows access to the local disk storage

· Nitro security chip — provides hardware-based root of trust

In 2020, AWS introduced AWS Nitro Enclaves that allow customers to create isolated environments to protect customers’ sensitive data and reduce the attack surface.

EC2 instance prior to AWS Nitro Enclaves:

Image for post
Image for post

EC2 instance with AWS Nitro Enclaves enabled:

Image for post
Image for post

The diagram below shows two EC2 instances on the same EC2 host. One of the EC2 instances has Nitro Enclaves enabled:

Image for post
Image for post

Additional references:

https://aws.amazon.com/ec2/nitro/

· Powering next-gen Amazon EC2: Deep dive into the Nitro system

https://www.youtube.com/watch?v=rUY-00yFlE4

· Deep Dive Into AWS Nitro Enclaves

https://www.youtube.com/watch?v=K5PRNHaEdOw

· Reinventing virtualization with the AWS Nitro System

https://www.allthingsdistributed.com/2020/09/reinventing-virtualization-with-aws-nitro.html

· AWS Nitro System

https://perspectives.mvdirona.com/2019/02/aws-nitro-system/

· AWS Nitro — What Are AWS Nitro Instances, and Why Use Them?

https://www.metricly.com/aws-nitro/

· AWS Nitro Enclaves

https://aws.amazon.com/ec2/nitro/nitro-enclaves

· AWS Nitro Enclaves — Isolated EC2 Environments to Process Confidential Data

https://aws.amazon.com/blogs/aws/aws-nitro-enclaves-isolated-ec2-environments-to-process-confidential-data

· AWS Nitro Enclaves — Getting Started Video

https://www.youtube.com/watch?v=t-XmYt2z5S8

Oracle’s Generation 2 (GEN2) Cloud Infrastructure

Oracle’s Gen2 cloud offers isolated network virtualization, using custom-designed SmartNIC (a special software and hardware card) which offers customers the following advantages:

· Reduced attack surface

· Prevent lateral traversal between bare-metal, container or VM hosts.

· Protection against Man-in-the-Middle attacks between hosts and guest VMs

· Protection against denial-of-service attacks against VM instances

First generation cloud hypervisors:

Image for post
Image for post

Oracle Second generation cloud hypervisor:

Image for post
Image for post

Oracle Cloud architecture differs from the rest of the public cloud providers in terms of CPU power.

In OCI, 1 OCPU (Oracle Compute Unit) = 1 physical core, while other cloud providers use Intel hyperthreading technology, which calculates 2 vCPU = 1 physical core.
As a result, customers get better performance per each OCPU it consumes.

Another characteristic that differentiates OCI architecture is no resource oversubscription, which means a customer will never share the same resource (CPU, memory, network) with another customer. This avoids a “noisy neighbor” scenario and allows the customer better and guaranteed performance.

Additional references:

https://www.oracle.com/a/ocom/docs/oracle-cloud-infrastructure-security-architecture.pdf

· Oracle Cloud Infrastructure — Isolated Network Virtualization

https://www.oracle.com/security/cloud-security/isolated-network-virtualization/

· What is a Gen 2 Cloud?

https://blogs.oracle.com/platformleader/what-is-a-gen-2-cloud

· Exploring Oracle’s Gen 2 Cloud Infrastructure Security Architectures: Isolated Network Virtualization

https://blogs.oracle.com/cloudsecurity/exploring-oracles-gen-2-cloud-infrastructure-security-architectures3a-isolated-network-virtualization

· Cloud Generation 2: Autonomous, Secure, and Extensible

https://youtu.be/ceH8QJ_RWTI

· Properly sizing workloads in the Oracle Government Cloud: Save costs and gain performance with OCPUs

https://blogs.oracle.com/cloud-infrastructure/properly-sizing-workloads-in-the-oracle-government-cloud-save-costs-and-gain-performance-with-ocpus

About The Author

Cloud Architect

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store