MicroVMs: the security-first alternative to containers
Explore how microVMs combine container speed with VM isolation. Learn when to use Firecracker and gVisor for secure multi-tenant deployments.
If you've ever deployed untrusted workloads—think CI/CD runners, serverless functions, or multi-tenant SaaS—you've probably lost sleep over container escape vulnerabilities. Containers share the kernel with the host, and that shared boundary is a constant security concern. Virtual machines solve the isolation problem but come with heavyweight overhead that makes them impractical for modern workload densities.
MicroVMs sit right in that sweet spot: near-container speed with VM-level isolation. Let's dig into what they are, how they compare to traditional containers and VMs, and when you should actually use them.
THE ISOLATION PROBLEM WITH CONTAINERS
Containers revolutionized deployment, but they weren't designed with strong isolation in mind. When you run a container, you're really just running a process on the host with some Linux kernel features (namespaces, cgroups, seccomp) creating the illusion of isolation.
The kernel is the shared attack surface. A kernel exploit in one container can potentially compromise the entire host and every other container running on it. We've seen this play out with real CVEs like the runC vulnerability (CVE-2019-5736) that allowed container escapes through malicious images.
For internal workloads where you trust your code, this risk is manageable. But if you're running untrusted code—customer-provided functions, arbitrary CI jobs, or hostile multi-tenant workloads—the shared kernel becomes a serious liability.
WHAT EXACTLY IS A MICROVM?
A microVM is a lightweight virtual machine optimized for speed and density. It provides the strong isolation boundary of a full VM (separate kernel, virtualized hardware) but strips away everything unnecessary: legacy device support, BIOS emulation, firmware bloat.
The result? Boot times measured in milliseconds, memory overhead in single-digit megabytes, and the ability to pack thousands of microVMs on a single host—all while maintaining hardware-enforced isolation through the hypervisor.
Here's how the three approaches stack up:
COMPARING CONTAINERS, VMS, AND MICROVMS
Let's get specific about the tradeoffs:
| Metric | Containers | MicroVMs | Traditional VMs |
| Boot time | <100ms | 100-300ms | 5-30s |
| Memory overhead | ~1-5 MB | ~5-20 MB | ~500+ MB |
| Density | 1000s per host | 1000s per host | 10s-100s per host |
| Isolation | Process-level (shared kernel) | Hardware virtualization | Hardware virtualization |
| Attack surface | Large (entire kernel) | Minimal (hypervisor + minimal kernel) | Moderate (hypervisor + full OS) |
| Image size | Small (OCI layers) | Small (kernel + rootfs) | Large (full OS) |
| Ecosystem | Docker, containerd, CRI-O | Firecracker, Cloud Hypervisor, gVisor | KVM, Xen, VMware |
The key insight: microVMs give you VM security at near-container performance. You're trading a slight increase in boot time and memory overhead for a massive reduction in blast radius.
REAL-WORLD MICROVM IMPLEMENTATIONS
Firecracker
Developed by AWS for Lambda and Fargate, Firecracker is the most mature microVM implementation. It's built on KVM but strips out everything except what's needed to run a single workload.
Here's how you'd launch a simple Firecracker microVM:
# Start the Firecracker process
firecracker --api-sock /tmp/firecracker.sock
# Configure the VM (via API)
curl --unix-socket /tmp/firecracker.sock -X PUT \
-H "Content-Type: application/json" \
-d '{
"kernel_image_path": "/path/to/vmlinux",
"boot_args": "console=ttyS0 reboot=k panic=1",
"drives": [{
"drive_id": "rootfs",
"path_on_host": "/path/to/rootfs.ext4",
"is_root_device": true,
"is_read_only": false
}],
"machine-config": {
"vcpu_count": 2,
"mem_size_mib": 512
}
}' \
http://localhost/boot
Each Firecracker microVM runs its own kernel, completely isolated from the host. A kernel vulnerability in your workload's guest kernel doesn't give an attacker access to the host kernel.
gVisor
Google's gVisor takes a different approach: it's a user-space kernel that intercepts system calls before they reach the host kernel. It's not technically a microVM, but it solves the same problem—reducing the kernel attack surface.
# Using gVisor (runsc) as a Docker runtime
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: gvisor
handler: runsc
---
apiVersion: v1
kind: Pod
metadata:
name: secure-workload
spec:
runtimeClassName: gvisor # Use gVisor for this pod
containers:
- name: app
image: untrusted-image:latest
gVisor implements a substantial portion of the Linux kernel in Go, running in user space. System calls from your container go through gVisor's kernel implementation instead of directly to the host kernel. It's faster than Firecracker for some workloads but provides a slightly different security model.
Kata Containers
Kata combines the OCI container workflow with lightweight VMs. Each pod runs in its own microVM, but you still use standard container images and orchestrators.
# Install Kata runtime
kubectl apply -f https://raw.githubusercontent.com/kata-containers/kata-containers/main/tools/packaging/kata-deploy/kata-deploy.yaml
# Use Kata for untrusted workloads
apiVersion: v1
kind: Pod
metadata:
name: kata-secured
spec:
runtimeClassName: kata # Runs in a microVM
containers:
- name: workload
image: potentially-malicious:latest
Kata is particularly useful in Kubernetes environments where you want to mix trusted and untrusted workloads on the same cluster—use the default runtime for trusted workloads, Kata for untrusted ones.
SECURITY BENEFITS FOR APPLICATION DEPLOYMENT
MicroVMs shine in scenarios where the cost of compromise is high:
Multi-tenant SaaS platforms
If you're running customer code (think Shopify apps, Salesforce functions, or CI/CD platforms like GitHub Actions), you need defense-in-depth. MicroVMs ensure that a malicious tenant can't escape their sandbox to access other tenants' data or the underlying infrastructure.
Serverless and function-as-a-service
AWS Lambda runs millions of functions per second, often from completely untrusted sources. Firecracker enables this scale by booting a fresh microVM per invocation in ~125ms, giving each function its own kernel and complete isolation.
CI/CD runners
Running arbitrary build and test jobs is inherently risky. Projects like GitLab Runner and GitHub Actions use microVMs to ensure a compromised build can't poison the runner or access other builds' secrets.
# Example: Isolated CI job with Firecracker
job:
script:
- npm install # Could be malicious dependencies
- npm test
runner:
executor: firecracker
isolation: kernel-level
memory: 2048MB
timeout: 30m
Zero-trust architecture
MicroVMs fit naturally into zero-trust models. Even if an attacker compromises your application, they're still trapped inside a VM with no access to the host network, storage, or other workloads. You can further restrict with seccomp-bpf filters and minimal guest kernels that only include the syscalls your workload needs.
WHEN NOT TO USE MICROVMS
They're not a silver bullet. Here's when containers are still the right choice:
Trusted internal workloads: If you control all the code and trust your developers, the isolation overhead isn't justified
Cost-sensitive deployments: MicroVMs consume slightly more resources; at massive scale, this adds up
Extremely latency-sensitive applications: That extra 100-200ms boot time matters for some real-time workloads
Windows workloads: Most microVM implementations are Linux-focused
GETTING STARTED WITH MICROVMS
If you're convinced microVMs are worth exploring:
Start with gVisor if you're already on Kubernetes—it's the lowest-friction option for testing isolation without changing your orchestration
Use Firecracker directly if you're building a custom platform (FaaS, CI/CD) and need maximum control
Try Kata Containers for a drop-in OCI-compatible solution that works with existing container tooling
The ecosystem is still maturing, but major cloud providers (AWS, Google, Azure) are betting heavily on microVM technology. As the tooling improves and performance gaps close, we'll likely see microVMs become the default for any workload where isolation matters.
KEY TAKEAWAYS
MicroVMs bridge the gap between containers and VMs: you get near-container speed and density with VM-level security isolation. The hypervisor enforces a hard boundary that protects against kernel exploits and container escapes.
Use them when running untrusted code—multi-tenant platforms, serverless functions, CI/CD jobs—or anywhere the blast radius of a compromise would be catastrophic. Stick with containers when you trust your code and need maximum efficiency.
The security model is fundamentally different: instead of trusting the kernel and a stack of user-space isolation primitives, you're trusting the hypervisor—a much smaller, more auditable attack surface. For high-stakes deployments, that trade is worth making.
