During this week’s .NEXT event in Vienna, Nutanix announced a networking & security product line-up called Acropolis Microsegmentation Services. And you’ve guessed it, it’s a direct competitor of VMware’s NSX. I bet this is going to piss off a lot of folks at VMware, especially given NSX’s awful track record (regarding stability and number of critical bugs) lately.

I mean, look at this quote from the press release:

Microsegmentation technologies have been available for some time to address these threats, but widespread adoption has been slowed by the complicated setup and management demanded by large-scale SDN deployments, which are expensive and lack IT friendly administrator tools.

That’s just directly aimed at NSX, amirite? Or, look at this gem:

The built-in micro segmentation functionality can be deployed in just minutes, and obviate the need to invest in large and complex SDNs to protect the application environment.

And I kinda get it. As a current customer of NSX, I see the appeal of something more simple and more stable. On the other hand, given the immense breadth of features and functionality of NSX, some stuff is bound to be a bit more complex. Lack of features won’t compensate for that.

What’s included in Acropolis Microsegmentation Services?

First, let’s look at the features included in Acropolis Microsegmentation Services, or AMS for short. It’s a set of services, features and APIs on top of the AHV hypervisor, supporting both Virtual Machine and Container workloads.

Distributed firewall


First and foremost, it’s a distributed and stateful (layer 3/4) firewall running on the Acropolis hypervisor. It’s completely integrated into the Prism management UI, falling in line with their ‘One-Click’ promise, making the consumption of advanced network services much easier.

This distributed firewall allows for a popular method of applying security policies: microsegmentation. This version of the firewall is aimed at East-West traffic (i.e. between VMs running on the cluster), not North-South traffic (outside of the cluster).

Service Insertion and Chaining


Instead of building a competing set of advanced networking services, Nutanix chose to let 3rd parties integrate into the virtual networking layer using an API. I think this is smart, because this gives customers the freedom to pick best of breed solutions for specific challenges. I’ve seen restrictive support matrixes screw up networking designs all too often: $application will only work or be supported with a Load Balancer from a very specific vendor. Having the option to choose that specific Load Balancer for that specific application makes live so much easier for us enterprises.

So, how this works is that the Service Insertion and Chaining feature-set rely on Nutanix APIs completely. This allows third party vendors, like F5 or Citrix (for their NetScaler product), integrate into the virtual network flow and drop their firewalls, load balancers, application delivery controllers and monitoring appliances in the network path.

The APIs are ‘service agnostic’, which means that any vendor that certifies in using the APIs, can insert their specific networking service, be it a security, load balancing, monitoring or application delivery service. By chaining several services together, datacenter admins can create very specific network traffic flows for security, performance or availability reasons.

Nutanix is working with the obvious vendors in this space, like F5, Palo Alto, Illumio, Citrix to integrate early on. I expect Nutanix to release more specific information in the weeks following the .NEXT conference.

Network Orchestration APIs


In addition to in-bound APIs, Nutanix offers an out-bound functionality using a WebHook notification API. This allows current infrastructure to react and respond to changes to applications running on the Nutanix platform. These network functions don’t need to be virtual appliances running on the AHV cluster, either. Physical devices that run advanced network services can be notified about changes in the virtual realm.

Any 3rd party system can subscribe and listen for specific event types, network properties or metadata to dynamically adapt other parts of the infrastructure accordingly.

This partner facing network API allows 3rd party vendors to hook into the Open vSwitch layer of AHV to automate network functions external to the Nutanix platform. It’s expected that Palo Alto, vArmour, Brocade, Arista, Mellanox and Plexxi will integrate with these APIs to provision the network based on application life-cycle policies.


Acropolis Microsegmentation Services’s features will debut in Acropolis OS (AOS) version 5.0, which will release before the end of the year. This release will initially include the Networking APIs (in-bound and out-bound). The distributed firewall, service insertion and chaining are targeted for 2017 releases.

Current limitations and future of AMS

Hypervisor support

AMS runs on AHV only. Support for other hypervisors will follow in 2017. I’m guessing vSphere first, Hyper-V later, based on current customer demand.

Networking Services

AMS has a fairly limited span of control, and NSX has a far greater reach (using hardware VTEPs, Edge Services Gateways and distributed routing).
For now, AMS offers just firewalling services to VMs (and containers) running on the platform. It doesn’t support (virtual or physical) workloads outside of the cluster, and it doesn’t support any of the advanced services NSX does, like distributed routing, layer-2 bridging (using a DLR or using hardware VTEPs), or any of the advanced networking services like (L2, SSL, S2S) VPN, (dynamic) routing, NAT, Load Balancing or ADC functionality. All of these services are left to partners to enable.


A lot of noise is being made here, but in truth, not much is actually being made generally available any time soon. The distributed firewall, the service insertion and chaining; they’re not part of the upcoming ‘Asterix’ (AOS 5.0) release. This means there’s not a lot of meat included right now; just the APIs. I’d even go so far as saying that AMS doesn’t really release until somewhere in 2017, and that the 2016 releases are just laying the groundwork so partners can start integration work.

Packaging and Pricing

AMS will be a software upgrade included in a current edition of the Nutanix packaging, i.e. Starter, Pro or Ultimate. Which edition exactly remains undecided as of yet.
The APIs will be included in all Nutanix software editions, including Community Edition.


So, while all of these things today can be solved outside of Nutanix, the management and operations of such a disparate set of technologies is cumbersome. Just like how Nutanix made storage easy, they’re now attempting to make networking easy by folding all these features and 3rd party integration into their Enterprise Cloud platform. I’ve seen Nutanix do gradual roll-outs of features before, and combined with their pretty fast release train, I am confident that we’ll see a pretty solid networking and security product before the end of 2017. This is immediately the biggest issue I see with AMS: it needs a year or two to mature to a usuable state (at least from an enterprise perspective; the type of environment where one might deploy AMS or NSX).
If that’s enough to keep up in this rapidly evolving, fast-paced segment of the industry, I don’t know. I do hope this competition will result in VMware to bring out high-quality software (instead of the bug-infested releases of 2016).

For Nutanix’s success, I think a lot rides on packaging and pricing. I am relieved that Nutanix doesn’t seem to make the same mistake as with Prism Pro (where they introduced a new set of features in a new product / SKU, requiring a separate purchase): AMS will be included in existing software editions (i.e. without additional cost). Secondly, it’s smart to include the APIs in all editions, allowing developers (from 3rd party vendors or enterprise customers) to talk, tinker and develop against them without obstacles.