Amazon Web Services (AWS) importing VMware images is a bit like the Hotel California. You can check in but you can never leave.

That's VMware's view about AWS importing VMware virtual machines. Without any real export features, AWS is locking in customers that want to extend its virtualized infrastructure to a public cloud environment.

Matthew Lodge is senior director of cloud services for VMware. We caught up with him this week to talk about VMware's approach and how it differs to AWS.

Lodge referred to Tom Bittman, a Gartner Research analyst who says that security and performance are two of the top concerns around public cloud infrastructure.

That, in a nutshell, is a distinct way that VMware differs from AWS.

Hybrid is what VMware sees as its next push. In making the move to import VMware virtual machines, AWS is recognizing a significant market opportunity. It's also a testament to VMware's dominant place in the market.

But George Reese sees some issues with both AWS and VMware's methods. Reese is the founder of EnStratus, a cloud management service that helps companies extend their data centers to the cloud. He says the AWS import method is too low level. He said to us via Twitter that it would be similar to an app running on its own separate motherboard. That motherboard would then have to be ported from one server to the next.

The better alternative is to be portable to the application layer and run your application on any virtual machine on your target operating system.

Lodge says that VMware offers its customers security and control when moving to the cloud.

In a blog post this past August, he wrote:

"Another important area that we heard about time and again was security. Consequently, security is a key part of vCloud Datacenter services. There are three parts to this: the security of the cloud infrastructure itself, the applications running in the cloud, and the access and authentication rights for cloud users within your organization.

You told us it wasn't enough that the infrastructure and apps are protected; security teams and auditors need to be able to verify and document it too. To deliver on that, vCloud Datacenter service infrastructure has to meet a strict set of physical and logical security controls, with all logs available for inspection by third party auditors. We developed a control set derived from ISO 27001 and consistent with SAS70 Type II for that purpose, which our service provider partners implement.

We also took advantage of the new vShield Edge and vCloud Director "follow the app" virtual security, which provides a full stateful firewall (again, the logs are available for audit), virtual Layer 2 networking, and full Layer 2 network isolation. As a result, security policy and implementation automatically follow the app, regardless of where it lands physically. (There will be more on this in another blog post.)You also get full role-based access control, authenticated against your own enterprise directory so that you have the kind of access and authorization security you're used to."

AWS, Lodge maintains, has a virtual firewall that does not provide a high level of security. You can't see into it if there is an attack.

"They do not get logs out of the firewall," Lodge said. "If they're being attacked they can't see the logs to see if they are actually getting attacked. They can't see what happens."

AWS maintains its network is secure and there is lots to show for that being true. But the situation changes when you start moving virtual machines.

We'll get more into that in an upcoming post about virtual networks and the emerging awareness that networks require. Lodge and a host of others have a lot of insights into the topic that is worth exploring.

The bottom line: VMware is offering a far more sophisticated service than AWS but the flexibility and pricing for the AWS service makes it a compelling alternative to the VMware approach.

There are a lot of other players in this space, too. EnStratus is a world-class cloud management service. Rackspace is making its own mark by acquiring Cloudkick.

The new year? Our bet is the cloud will become far more transparent. The difference is that by the end of 2011, this will all be far more familiar to companies and perhaps a lot easier to implement, too.