Hello,
We are approaching 60,000 servers, including the fact that you are more likely to create virtualizations on servers with OVH. This is partly due to our ready to use distributions, IP fail-over, IP loadbalancing and all additional services (vKVM, KVM, the firewall), but mainly because there is demand in this market (it's good to save money). Technically speaking, we had to adapt our technical infrastructure to offer you virtualisation but today we are no longer satisfied with what we offer. We can do better and we will do better. Because ... because it's worth it!
Examples of what we're still doing badly and how we will do it better:
- A virtual machine that runs on a server, is hacked and launches an attack, spoofs the network, etc. Currently, we detect that the problem comes from the physical server and we block the entire server instead of just the virtual machine.
- The network is protected against the servers that play with MAC addresses on our network. As soon as we detect it, the server port blocks itself (Cisco network, I do nothing). The network has isolated the problem by cutting off the server and therefore continues to operate without any problem. However, this is not the best for the server. Also, with the virtualization we can "route" packets or just play with MAC addresses. We wish to offer both.
We are then going to change some safety rules on the network to enable these new uses while maintaining a security level in "paranoid" mode (because those who are not paranoid on the Net have a very limited life expectancy). Also, we will have to change 30% of our rack switches (more than 400 pieces ... ouch! Suddenly not so funny, anyway we don't make sushi without rice or steak without meat or omelette without breaking eggs!) To allow our virtualization customers to be happier at Ovh without messing up other customers (who are also happy at Ovh but perhaps not as much as those of Virtualization will soon be).
To summarize technically the developments, communication between the server and "the rest" (the other servers, routers, Internet) will be shielded and secure in a sort of tunnel to allow these machines to announce in a kind of "noise" tunnel, without this noise becoming a detriment to other servers and routers and the Internet.
What am I saying? Very technically speaking ... I will invite you to look at the working task in which we will explain what we do. Technically speaking it is a headache, and we need 4 pages to explain it.
http://travaux.ovh.com/?do=details&id=3187
Of course, nothing changes for 99.99% of our customers. What may change is for the 2-4 for customers who may have done border line stuff. That's all.
All other customers will love it because we will allow more services on our armoured network.
That's it :-)
Regards,
Octave