Author: John Gudmundson, Senior Product Marketing
Management at A10 Networks
Enterprise networking has been plagued by two significant concerns.
First, such environments have an inherently large-scale, shared infrastructure,
yet the network architecture is typically static in nature. When IT on-boards a
new application or equipment upgrades are made or is simply scaled up, things
may not go as planned. Applications can ‘break’, logjams occur, SLAs not get
met and finger pointing starts. Virtualized computing and storage have only
upped the ante. A second issue is the overall lack of application awareness and
the difficulty of supporting advanced networking and security services.
Operations have partially overcome the resulting bottlenecks by
eliminating hierarchical oriented designs. Some IT groups eliminated switch
based network segmentation and instituted a flat Layer 3 network with more
routing. Others leveraged overlay networks by encapsulating IP traffic within
IP. Flattening the network makes it more flexible and better able to handle
virtualized computing, but does not go far enough.
The upshot is a network that does not have the ability to automatically
change traffic flows in a dynamic way. High level visibility to forward packets
based on the nature of the traffic present is missing. Administrators are
required to manually deploy, configure and maintain numerous elements with ever
changing needs. To make matters worse, organizations must massively
overprovision their ‘static’ network to handle transient spikes and therefore
run at maximum capacity at all times; regardless of actual need.
SDN to the Rescue
A key to solving this conundrum is to move to Software Defined Networks
(SDN). SDN promises the ability to better utilize assets, dynamically adapt to
throughput needs and to perform traffic engineering with an end-to-end view of
the network. In legacy topologies, control and forwarding functions are
inextricably coupled within the network routers and switches resulting in
inflexible designs. By separating the forwarding and management functions SDN
provides the ability to scale resources and substantially improve agility while
lowering costs. In decoupling the data plane from the control plane, the data
plane can now be directly programmed, support open, standards-based APIs and
can use lower cost white box routers, switches and other elements. Network
operators can centrally configure, manage and monitor resources with a network
that is programmed based on the distinctive needs of the specific applications
and traffic profiles present.
‘App Aware’ Network and Security Services
To get the most out of your software defined datacenter you need to
deploy networking and security services that have the requisite app visibility.
Adding Application Delivery Controllers (ADC), next generation firewalls and
web security gateways can help realize the goal of a dynamic ‘app aware’
network with advanced capabilities.
ADCs integrate the following in one scalable, high capacity appliance based device: Load balancing and content switching to ensure server availability and eliminate server sprawl; compression
caching, and WAN protocol optimization methods to accelerate content
delivery while shrinking bandwidth needs; and advanced security through
revealing SSL encrypted malware, blocking application layer attacks and
providing site-to-site IPsec VPNs.
Next generation ADCs are in effect a new ‘Application Router’ that
provide a top level blueprint that is both user and application centric. These
systems parse usage patterns in the context of user identities, applications in
use, type of access device and even time of day to build granular context-aware
access control. SDN enables administrators to leverage service insertion and
service chaining to dynamically steer traffic flows through a sequence of
physical or virtual ADCs with these L4-7 services. Additionally, this approach
overcomes the added expense and the error-prone process of cobbling together
disparate point product solutions.
Leading ADC vendors also support infrastructure automation by combining
with cloud orchestration platforms. Plug-in service modules are leveraged to
instantiate, configure and monitor the ADCs; which in turn enable automated
L4-7 services provisioning by integrating with cloud orchestration solutions
such as those based on OpenStack, Microsoft System Center Virtual Machine
Manager (SCVMM), and VMware vCloud Director. These modules allow dynamic
enforcement of centralized tenant policy as new workloads and application
services are created.
System Interoperability is Critical
To ensure a cohesive ecosystem, networking and security platforms need
to support open and standards-based programmability. Comprehensive management
and monitoring should be accessible from vendor neutral APIs – providing
interoperability with automation, orchestration and analytics. If application
networking platforms support RESTful APIs, then administrators can quickly
integrate them with other services and management systems. ADCs can allow
network engineers and system architects to write their own policies or
provision scripts themselves. This empowers IT to tailor automation policies
for their application needs. For example, an administrator can use SDN
orchestration tools to direct users with mobile browsers to mobile application
servers. As new mobile application servers are brought online, the load
balancers could adapt and forward mobile traffic to those new servers.
Application and service delivery solutions must be capable of integration into real world SDN environments, comprised of programmable
routers and switches, including those based on OpenFlow, and a variety
of controllers, such as those from Cisco APIC, VMware NSX, IBM SDN -VE and NEC
PFC. Such interaction allows for dynamic scaling of ADCs where user-flows are
redistributed on-the-fly among the available ADCs when they get added or
removed. The available ADCs are fully synchronized and are aware of one
another’s flows, and instruct the SDN controller to distribute the user traffic
amongst them. If an ADC suddenly is presented with a flow that causes it to
work at near-maximum capacity, it can instruct the controller to temporarily
reduce traffic and send new flows to other ADCs in the network. As traffic
demands grow, the controller can instantly spin-up a new ADC instance while
keeping the existing physical or virtual appliances in place and the controller
balances new flows according to their capacity.