Unlocking Superior macOS VM Network Performance: Introducing Anka’s new networking mode for Apple Silicon

Large and complex enterprises using Anka have many different demands, and we have worked to continue to develop innovative technology to meet these demands. Enterprise infrastructure hardware is often on the cutting edge, and they need advanced capabilities around network security for macOS VM-based CI environments. To meet these demands, we allow enabling features for VM to VM and VM to Host isolation as well as by default do ARP Spoofing prevention on top of our custom virtio-net stack. This is currently supported for both x86/Intel and Apple Silicon/ARM.

Starting in Anka version 3.3.9, we are introducing the beta availability of a new Network Mode named nat unlocking superior macOS VM network performance. This nat network mode provides a minimum of 2x the network performance of shared as well as VM to VM isolation by default. The only downsides are that it does not support advanced network security features like VM to Host isolation and ARP Spoofing prevention (or any other VM IP Filtering). The nat mode is built on top of macOS network capabilities exposed in virtualization.framework.

Let’s show you how to enable this network mode and what to expect!

Enabling NAT Network Mode

The nat mode can be set explicitly on per-VM/Template/Tag basis using anka modify:

anka modify {vmName} set network -t nat

Or the nat mode can be enforced for VMs with shared mode using anka config:

[sudo] anka config shared_nat 1

Setup + What to expect

We’ll be using a AWS EC2 M2 Mac in this example. You can read more about using AWS EC2 Macs for Anka, here.

  1. We did not set shared_nat or NAT for the network mode initially. It was only after testing on shared that we enabled shared_nat.
  2. Let’s first mount the internal SSD of the EC2 instance so we don’t have to deal with EBS performance limitations and variance: diskutil mountDisk /dev/disk0
  3. Next, we’ll modify the config to use those locations for Anka Storage: anka config img_lib_dir /Volumes/InternalDisk/anka && anka config state_lib_dir /Volumes/InternalDisk/anka && anka config vm_lib_dir /Volumes/InternalDisk/anka
  4. Next we’ll create a VM with anka create vm1 latest
  5. Once created, we install AZCOPY, create a large temporary file, then upload it to azure
    • anka run vm1 bash -c "curl --output azcopy.zip https://azcopyvnext.azureedge.net/releases/release-10.22.0-20231205/azcopy_darwin_arm64_10.22.0.zip && unzip azcopy.zip && chmod +x ./azcopy_darwin_arm64_10.22.0/azcopy && ls -al azcopy_darwin_arm64_10.22.0"
    • anka run vm1 bash -c "mkfile -n 10g temp_10GB_file"
    • anka run vm1 bash -c "AZCOPY_CONCURRENCY_VALUE=100 AZCOPY_BUFFER_GB=1 ./azcopy_darwin_arm64_10.22.0/azcopy cp temp_10GB_file https://XXXX.blob.core.windows.net/test?XXXXX

Keep in mind that the VM’s resources can also limit the transfer speeds. On VMs with 4CPU/4GB of ram, we saw half of the speeds we did with a 6CPU/10GB VM.

After running azcopy, with a VM in shared mode, we see Elapsed Time (Minutes): 1.7338 with a TP of anywhere from 200~1300, often bouncing around 1000 (Mb/s)

For nat, we see Elapsed Time (Minutes): 0.8337 with throughput of ~2000 and more (Mb/s). If we use AZCOPY_CONCURRENCY_VALUE=200 AZCOPY_BUFFER_GB=2, we see Elapsed Time (Minutes): 0.7002 and 2000+ TP.

Security Implications

We advise users reviewing various Apple Silicon macOS Virtualization solutions to consider their needs around network security of the VMs. Almost all currently available solutions for running macOS VMs on Apple Silicon Macs do not support a complete set of advanced network security features like VM to VM, VM to Host isolation, and ARP Spoofing prevention. Anka’s virtio-net stack-based networking provides these advanced network security features for Apple Silicon and Intel macOS VMs.

Please feel free to reach out to [email protected] if you have any questions.

Share this post

Anka Cloud Gitlab Executor
Veertu’s Anka and the new Anka Cloud Gitlab Executor Veertu’s Anka is a suite of software tools built on the macOS virtualization platform. It enables the execution of single or multi-use macOS virtual machines (VMs) in a manner similar to Docker....
Read More
Real-Time CVE Scanning of your macOS Build Systems
It’s common that an organization’s macOS build system will download thousands, sometimes tens of thousands of third-party dependencies every hour. When building and testing iOS applications, it typically downloads and installs third-party...
Read More
The ONLY Fully Automated Apple Silicon macOS VM Creation Solution
Starting in Anka 3.1 we announced that Anka is now able to fully automate the macOS installation processes, disabling SIP, and enabling VNC — all previously manual steps users had to perform inside o the VM. At the time of writing this article,...
Read More
Scripting macOS UI User Actions With Anka Click
Starting in Anka 3.2, we’ve introduced a solution for scripting macOS UI user actions. You may ask, “Why would I want to do that?”. Well, often macOS configuration and applications do not have a CLI allowing you to perform certain actions...
Read More
Real-time, continuous scan of file downloads on macOS for security vulnerabilities
Today, we are announcing the Beta availability of the Mac Scan solution. Mac Scan software runs on macOS systems (bare metal, virtual, EC2 Mac) and scans downloads in real time for security vulnerabilities. There are multiple scenarios why you would...
Read More
Screen Shot 2022-10-17 at 10.13
Anka 3.1- Fully automated VM macOS installation & The Behavior-Driven macOS UI Automation Framework
We are very happy to announce the General Availability of Anka 3.1 for Apple Silicon / ARM macs. In this release, we are taking our approach to iOS CI automation one step further by introducing a Behavior-Driven macOS UI Automation Framework in Anka,...
Read More
Migrating from Anka on Intel to Anka on M1 Mac for iOS CI
In this blog, we will cover the key topics for migrating from Anka on Intel to Anka on M1/M2 Macs. Anka is an IaaC solution from Veertu to set up an agile Container like CI for iOS CI using macOS VMs. Anka for Intel uses Apple’s Hypervisor.Framework virtualization...
Read More
World's first Security Vulnerability scanner for EC2 Mac AMIs
We are excited to announce the General Availability of the world’s first security vulnerability scanner for EC2 Mac AMIs. EC2 Mac AMI Scan scans Intel and Apple Silicon macOS EC2 AMIs, detects security vulnerabilities in third-party packages, dependencies,...
Read More
It's time to migrate your iOS CI from ESXi Virtual Mac Infrastructure to native macOS Virtualization
When VMWare ESXi started officially supporting Apple macOS Virtualization on Mac hardware in late 2012, it opened the doors for the possibility of iOS development to move to a Linux-like, agile, scalable CI infrastructure. Soon enough, many iOS enterprise...
Read More
Security vulnerability scanning with Anka Scan
We are excited to announce the general availability (GA) of Anka Scan v1.0.0. As development teams increasingly adopt Infrastructure-as-code for development and production, the incident with Log4J in December 2021 highlighted the importance of security...
Read More