Large and complex enterprises using Anka have many different demands, and we have worked to continue to develop innovative technology to meet these demands. Enterprise infrastructure hardware is often on the cutting edge, and they need advanced capabilities around network security for macOS VM-based CI environments. To meet these demands, we allow enabling features for VM to VM and VM to Host isolation as well as by default do ARP Spoofing prevention on top of our custom virtio-net stack. This is currently supported for both x86/Intel and Apple Silicon/ARM.
Starting in Anka version 3.3.9, we are introducing the beta availability of a new Network Mode named nat unlocking superior macOS VM network performance. This nat network mode provides a minimum of 2x the network performance of shared as well as VM to VM isolation by default. The only downsides are that it does not support advanced network security features like VM to Host isolation and ARP Spoofing prevention (or any other VM IP Filtering). The nat mode is built on top of macOS network capabilities exposed in virtualization.framework.
Let’s show you how to enable this network mode and what to expect!
Enabling NAT Network Mode
The nat mode can be set explicitly on per-VM/Template/Tag basis using anka modify:
anka modify {vmName} set network -t natOr the nat mode can be enforced for VMs with shared mode using anka config:
[sudo] anka config shared_nat 1Setup + What to expect
We’ll be using a AWS EC2 M2 Mac in this example. You can read more about using AWS EC2 Macs for Anka, here.
- We did not set
shared_nator NAT for the network mode initially. It was only after testing onsharedthat we enabledshared_nat. - Let’s first mount the internal SSD of the EC2 instance so we don’t have to deal with EBS performance limitations and variance:
diskutil mountDisk /dev/disk0 - Next, we’ll modify the config to use those locations for Anka Storage:
anka config img_lib_dir /Volumes/InternalDisk/anka && anka config state_lib_dir /Volumes/InternalDisk/anka && anka config vm_lib_dir /Volumes/InternalDisk/anka - Next we’ll create a VM with
anka create vm1 latest - Once created, we install AZCOPY, create a large temporary file, then upload it to azure
anka run vm1 bash -c "curl --output azcopy.zip https://azcopyvnext.azureedge.net/releases/release-10.22.0-20231205/azcopy_darwin_arm64_10.22.0.zip && unzip azcopy.zip && chmod +x ./azcopy_darwin_arm64_10.22.0/azcopy && ls -al azcopy_darwin_arm64_10.22.0"anka run vm1 bash -c "mkfile -n 10g temp_10GB_file"anka run vm1 bash -c "AZCOPY_CONCURRENCY_VALUE=100 AZCOPY_BUFFER_GB=1 ./azcopy_darwin_arm64_10.22.0/azcopy cp temp_10GB_file https://XXXX.blob.core.windows.net/test?XXXXX
Keep in mind that the VM’s resources can also limit the transfer speeds. On VMs with 4CPU/4GB of ram, we saw half of the speeds we did with a 6CPU/10GB VM.
After running azcopy, with a VM in shared mode, we see Elapsed Time (Minutes): 1.7338 with a TP of anywhere from 200~1300, often bouncing around 1000 (Mb/s)
For nat, we see Elapsed Time (Minutes): 0.8337 with throughput of ~2000 and more (Mb/s). If we use AZCOPY_CONCURRENCY_VALUE=200 AZCOPY_BUFFER_GB=2, we see Elapsed Time (Minutes): 0.7002 and 2000+ TP.
Security Implications
We advise users reviewing various Apple Silicon macOS Virtualization solutions to consider their needs around network security of the VMs. Almost all currently available solutions for running macOS VMs on Apple Silicon Macs do not support a complete set of advanced network security features like VM to VM, VM to Host isolation, and ARP Spoofing prevention. Anka’s virtio-net stack-based networking provides these advanced network security features for Apple Silicon and Intel macOS VMs.
Please feel free to reach out to [email protected] if you have any questions.
