Level Up has been pretty active with Red Hat® OpenShift Virtualization lately, and one of the questions we’ve gotten centers around how Red Hat’s networking and related security features ultimately compare to NSX. For whatever reason, there seems to be a perception among a few folks who are currently evaluating OpenShift Virtualization, that NSX has some sort of “advanced” features and capabilities that they will miss if they migrate their VM’s to OpenShift. In our experience though, this is highly unlikely, and we wanted to offer this as a one-stop to summarize our point of view on the subject.
Comparing the functionality and use cases of NSX with how OpenShift can achieve similar outcomes through its foundation on the Kubernetes project (to which Red Hat is the second largest contributor trailing only Google), OpenShift’s many enhancements to Kubernetes, the Operator Hub, as well as Red Hat add-ons like Advanced Cluster Management (ACM) and Advanced Cluster Security (ACS), while still being offered as a single solution which you can install just about anywhere: bare metal, in private, public and multicloud scenarios, and possible within an all-in-one, predictable price point, these seven highlights are essential from Level Up’s perspective:
1) Multi-Tenancy and Network Segmentation
- NSX: Provides network segmentation and isolation that can be used in multi-tenant environments, via virtual networks.
- OpenShift: Can easily achieve network multi-tenancy and isolation through namespaces, network policies, and can be flexibly augmented by the use of (as one example) the Operator-based Calico CNI plug-in for more advanced network segmentation and isolation. This is probably the biggest thing that many customers don’t already know about OpenShift.
2) Integrated Security Features (Firewalls, IDS/IPS)
- NSX: Offers stateful firewalls, IDS/IPS capabilities.
- OpenShift: Secure by design and by default, OpenShift’s security can be enhanced even further through ACS for things like compliance monitoring, vulnerability management, and network segmentation. Firewalls and integrations with various IDPS solutions can be achieved through security Operators and enhanced network policy tooling.
3) Load Balancing and Traffic Management
- NSX: Provides load balancing capabilities, including L7, SSL offloading, and advanced traffic management features.
- OpenShift: Utilizes routes for external-to-the-cluster access along with native HAProxy load balancing, and can also natively integrate with external load balancers (such as those provided by cloud providers). Beyond its native Service Mesh, advanced traffic management can be achieved using Operators such as Istio Service Mesh.
4) Disaster Recovery and High Availability
- NSX: Facilitates disaster recovery planning with consistent networking across various environments and dynamic rerouting capabilities.
- OpenShift: Natively supports DR and HA through things like replication features, persistent storage solutions, and can be further enhanced by ACM for managing cluster failovers across multiple clouds and sites.
5) Performance Optimization in Hybrid Environments
- NSX: Offers tools to improve network performance and manage bandwidth across hybrid environments.
- OpenShift: Performance can be natively optimized, and you can also leverage various cloud-native features for automatic application scaling and resource optimization.
6) Seamless Datacenter Extension
- NSX: Supports “extending” datacenters into the cloud with consistent networking and security policies.
- OpenShift: Achieves a seamless extension of OpenShift clusters through ACM, which allows for managing those clusters across on-premises and cloud environments via a single pane of glass. Operators and cloud-native integrations ensure consistent deployment patterns.
7) Centralized Policy Management
- NSX: Centralizes policy management across workloads and platforms.
- OpenShift: Beyond OpenShift’s substantial set of included features and its overall design, centralized policy and governance can fortified by ACS and ACM, which come together provide a unified approach within OpenShift to manage policies, governance, and compliance across all clusters.
So to sum up, YES, OpenShift satisfies basically 100% of the very same advanced networking and related security requirements handled by NSX which we have seen come up in conversations and publications recently. OpenShift delivers this through its native capabilities, its enhancements of upstream Kubernetes, and optional integrations of additional components and Operators. The alignment with Kubernetes extensibility and the wider cloud native ecosystem allows OpenShift to hurdle legacy barriers, adapt and then extend its networking capabilities in a manner very similar to NSX, but within the more innovative open source Kubernetes paradigm. About the only “requirement” which has stood up to any kind of closer inspection about NSX, that it appears to handle more comprehensively than OpenShift does natively owing to the difference in architectures– in our own analysis at least– is that NSX can still potentially be a way for customers who have been marooned on vSphere to use a central management interface for networking and security policies, if for some reason they simply have to be applied across a mix of on-premises datacenters, public clouds, and hybrid setups, all from a single console. If you ask us though, that’s potentially more of a problem to be solved for any present-day organization that is still counting on NSX to do that for them in 2024, not a product feature to highlight. The world is generally moving on, and if only NSX can solve anything for a customer in 2024, even with the sticker shock on ELA’s that we keep hearing about, then respectfully, that customer has an anti-pattern on their hands. (And BTW, we’d generally respond by introducing any such customer to Red Hat Ansible Automation Platform as a fabulous 1-2 combo… but that’s a post for another day.) Ultimately, some of the arguments we’ve heard from certain corners of the industry in favor of sticking with “business as usual” can be reduced to saying that NSX offers quote unquote deep integration with its legacy OEM’s environments and specific features tailored to manage its OEM-centric architectures. Basically: “The customer needs this proprietary vendor because they already use this proprietary vendor”– this kind of circular logic is highly unlikely to help anyone modernize their IT strategy, and we would humbly submit that there is a superior option available to them today, called Red Hat OpenShift. Bottom line for this post, OpenShift isn’t just what the future looks like as far as containers, it very likely already has all of the like-for-like VM-centric networking functionality that you’ve built out in your current solution, even if you’re on the more complex end of things.
Please check out Level Up’s upcoming OpenShift Virtualization webinar on May 31st, 2024! https://levelupla.io/level-up-open-demo-red-hat-openshift-virtualization-may-31st/