A microVM is a lightweight virtual machine. Any function or container workload can run inside of one. It is ideal for running multiple high-performance and secure workloads concurrently on a single machine because it combines the security and isolation of traditional VMs with the resource efficiency of containers.
In this blog post, we dive into the world of microVMs, specifically Firecracker microVMs. By exploring the origin of this microVM and its purpose-built design, as well as how it works and its benefits, we see how this mighty virtualization technology is revolutionizing serverless possibilities.
Before microVMs, developers had to choose between the resource efficiency and speed provided by container technology and the isolation and security provided traditional VMs. AWS was not exempt from this trade-off.
At the beginning of its serverless Lambda and Fargate offerings, AWS provisioned EC2 instances for each customer to provide a secure experience. As demand for its serverless offerings grew, AWS also faced requests from users for "faster scaling, lower latency, and advanced features like provisioned concurrency". AWS needed a more flexible virtualization technology that did not compromise security.
To optimize its serverless offerings, AWS created a new virtual machine monitor (VMM) called Firecracker. It is written in Rust, a compiled language that is secure, flexible, memory-efficient, and fast. Firecracker is based on crosvm, and like crosvm, Firecracker uses the Linux Kernel-based Virtual Machine (KVM) to create microVMs. If you want to learn more about KVM and different approaches to server virtualization, check out our blog post on virtualization.
One year after they began writing Firecracker, AWS open sourced Firecracker under Apache 2.0 in 2018. Today, it's used throughout the container ecosystem and enables a field of new serverless possibilities.
While this article focuses on Firecracker microVMs, there are new microVM technologies emerging like QEMU microVM.
MicroVMs were developed with built-in security, lightweight virtualization, a minimalist design, and compute oversubscription as guiding tenets
Virtualization revolutionized server consolidation and infrastructure management while containers brought lightweight and portable application packaging, scalability, and rapid deployment capabilities.
|MicroVM||Lightweight isolated virtual machines. Provide a complete virtualized environment with its own kernel, guest operating system, and virtualized hardware.||They offer stronger isolation compared to containers. Each microVM runs in its own virtual machine instance, providing a higher level of security and separation from the host system and other microVMs.||Small overhead compared to traditional virtual machines but are generally more efficient than full-scale virtualization. Quick startup times.||Strong isolation and security. Running untrusted and multi-tenant workloads.|
|Container||Lightweight, isolated runtime environments. Share a host operating system kernel.||Application-level isolation. Share underlying host operating system and kernel.||Offer efficient resource utilization and rapid startup times. They leverage the host operating system and resources directly.||Deploying and managing applications in a consistent manner across different environments. Great for scalability and agility.|
|VM||Virtual machines are full-fledged virtualized instances of physical hardware.||They provide complete isolation between the host system and the guest operating system.||Higher resource overhead compared to containers. Slightly longer startup times compared to containers.||Complete isolation required.|
We discussed this in Firecracker MicroVMs: Lightweight Virtualization for Containers and Serverless Workloads.
Photo courtesy of Firecracker under the CC BY 4.0 license.
In short, Firecracker operates in user space and uses the Linux KVM to create microVMs. Through Firecracker's RESTful API, you can control any Firecracker process, such as creating microVMs with any combination of vCPU and memory. Additionally, Firecracker provides a metadata service that enables the secure exchange of configuration information between the host and guest operating systems.
Firecracker has a built-in rate limiter that allows you to manage and optimize the network and storage resources used by all the microVMs running on the same machine. The rate limits are customizable to support bursts or specific bandwidth or operations limitations.
MicroVMs can run on any bare metal server. Firecracker followed in EC2’s footsteps by beginning with support for Intel processors before supporting ARM and AMD processors. Today, support is generally available and Firecracker is built to be processor agnostic and can be used with 64-bit Intel, AMD and Arm processors.
Thanks to microVM's design and execution, they are renowned for their security, speed, and scalability:
Security: MicroVMs are secure thanks to their small attack surface. All Firecracker processes are jailed using cgroups and seccomp BPF, and the list of system calls Firecracker has access to is very limited.
Speed: Benchmarks boast <125ms to launch 150 microVMs per second.
Scale and efficiency: Since a microVM's memory footprint is smaller than 5MiB, a lot of them can be packed onto a single server. Plus, Firecracker's built-in rate limiter enables flexible distribution of resources across microVMs running on a single host.
Any function or container can run within a microVM. If you want to enjoy the security and performance offered by a Firecracker microVM, sign up and start deploying on our platform today.
When you deploy your workload on Koyeb, we automatically spin up a microVM and run your workload in it and on top of our bare metal servers located worldwide. If you want to read about how we are using Firecracker internally, take a look at our blog post about our serverless engine.
High performance and security are crucial for serverless providers like us. Don't be fooled by the name, microVMs pack a big punch. They combine the density and speed of containers with the security and isolation of traditional VMs. This lightweight virtualization is powering the serverless space by letting cloud providers managing bare metal servers run more workloads with less overhead.
Koyeb is a developer-friendly serverless platform to deploy any apps globally.Start for free
Deploy 2 services for free and enjoy our predictable pricing as you grow
Get up and running in 5 minutes