All blog posts
Article

What is a microVM?

7 min

A microVM is a lightweight virtual machine. Any function or container workload can run inside of one. It is ideal for running multiple high-performance and secure workloads concurrently on a single machine because it combines the security and isolation of traditional VMs with the resource efficiency of containers.

In this blog post, we dive into the world of microVMs, specifically Firecracker microVMs. By exploring the origin of this microVM and its purpose-built design, as well as how it works and its benefits, we see how this mighty virtualization technology is revolutionizing serverless possibilities.

Firecracker microVMs were purpose-built for serverless workloads

Before microVMs, developers had to choose between the resource efficiency and speed provided by container technology and the isolation and security provided traditional VMs. AWS was not exempt from this trade-off.

At the beginning of its serverless Lambda and Fargate offerings, AWS provisioned EC2 instances for each customer to provide a secure experience. As demand for its serverless offerings grew, AWS also faced requests from users for "faster scaling, lower latency, and advanced features like provisioned concurrency". AWS needed a more flexible virtualization technology that did not compromise security.

To optimize its serverless offerings, AWS created a new virtual machine monitor (VMM) called Firecracker. It is written in Rust, a compiled language that is secure, flexible, memory-efficient, and fast. Firecracker is based on crosvm, and like crosvm, Firecracker uses the Linux Kernel-based Virtual Machine (KVM) to create microVMs. If you want to learn more about KVM and different approaches to server virtualization, check out our blog post on virtualization.

One year after they began writing Firecracker, AWS open sourced Firecracker under Apache 2.0 in 2018. Today, it's used throughout the container ecosystem and enables a field of new serverless possibilities.

While this article focuses on Firecracker microVMs, there are new microVM technologies emerging like QEMU microVM.

Distinguishing features: Minimalist design, reduced memory overhead, and fast startup times

MicroVMs were developed with built-in security, lightweight virtualization, a minimalist design, and compute oversubscription as guiding tenets

  • Isolation: Firecracker's KVM virtualization provides microVMs strong isolation for workloads. Additionally, they have an extra layer of isolation thanks to common Linux user-space security barriers provided by a companion program called “jailer”.
  • A minimalist design: Firecracker excludes unnecessary devices and guest functionality, so microVMs can maintain a small memory footprint. The reduced memory overhead (< 5 MiB) improves performance and the reduced attack surface improves security.
  • Fast startup time: The minimal device model also plays a contributing role in the fast startup time. Firecracker creates up to 150 microVMs per second per host and initiates application code in 125 ms.
  • Compute oversubscription - All compute resources can be oversubscribed. This increases the flexibility when provisioning workloads with low sustained CPU usage and enables more efficient use of resources.

MicroVMs vs containers vs VMs

Virtualization revolutionized server consolidation and infrastructure management while containers brought lightweight and portable application packaging, scalability, and rapid deployment capabilities.

DesignIsolationPerformanceUse cases
MicroVMLightweight isolated virtual machines. Provide a complete virtualized environment with its own kernel, guest operating system, and virtualized hardware.They offer stronger isolation compared to containers. Each microVM runs in its own virtual machine instance, providing a higher level of security and separation from the host system and other microVMs.Small overhead compared to traditional virtual machines but are generally more efficient than full-scale virtualization. Quick startup times.Strong isolation and security. Running untrusted and multi-tenant workloads.
ContainerLightweight, isolated runtime environments. Share a host operating system kernel.Application-level isolation. Share underlying host operating system and kernel.Offer efficient resource utilization and rapid startup times. They leverage the host operating system and resources directly.Deploying and managing applications in a consistent manner across different environments. Great for scalability and agility.
VMVirtual machines are full-fledged virtualized instances of physical hardware.They provide complete isolation between the host system and the guest operating system.Higher resource overhead compared to containers. Slightly longer startup times compared to containers.Complete isolation required.

How do Firecracker microVMs work?

We discussed this in Firecracker MicroVMs: Lightweight Virtualization for Containers and Serverless Workloads.

Firecracker diagram

Photo courtesy of Firecracker under the CC BY 4.0 license.

In short, Firecracker operates in user space and uses the Linux KVM to create microVMs. Through Firecracker's RESTful API, you can control any Firecracker process, such as creating microVMs with any combination of vCPU and memory. Additionally, Firecracker provides a metadata service that enables the secure exchange of configuration information between the host and guest operating systems.

Firecracker has a built-in rate limiter that allows you to manage and optimize the network and storage resources used by all the microVMs running on the same machine. The rate limits are customizable to support bursts or specific bandwidth or operations limitations.

MicroVMs can run on any bare metal server. Firecracker followed in EC2’s footsteps by beginning with support for Intel processors before supporting ARM and AMD processors. Today, support is generally available and Firecracker is built to be processor agnostic and can be used with 64-bit Intel, AMD and Arm processors.

MicroVM benefits: Purposeful-built for security, speed, and scalability

Thanks to microVM's design and execution, they are renowned for their security, speed, and scalability:

Security: MicroVMs are secure thanks to their small attack surface. All Firecracker processes are jailed using cgroups and seccomp BPF, and the list of system calls Firecracker has access to is very limited.

Speed: Benchmarks boast <125ms to launch 150 microVMs per second.

Scale and efficiency: Since a microVM's memory footprint is smaller than 5MiB, a lot of them can be packed onto a single server. Plus, Firecracker's built-in rate limiter enables flexible distribution of resources across microVMs running on a single host.

Deploy your workload in a microVM

Any function or container can run within a microVM. If you want to enjoy the security and performance offered by a Firecracker microVM, sign up and start deploying on our platform today.

When you deploy your workload on Koyeb, we automatically spin up a microVM and run your workload in it and on top of our bare metal servers located worldwide. If you want to read about how we are using Firecracker internally, take a look at our blog post about our serverless engine.

Conclusion

High performance and security are crucial for serverless providers like us. Don't be fooled by the name, microVMs pack a big punch. They combine the density and speed of containers with the security and isolation of traditional VMs. This lightweight virtualization is powering the serverless space by letting cloud providers managing bare metal servers run more workloads with less overhead.

Further reading

Latest posts

Koyeb

Welcome to Koyeb

Koyeb is a developer-friendly serverless platform to deploy any apps globally.

  • Start for free, pay as you grow
  • Deploy your first app in no time
Start for free
The fastest way to deploy applications globally.