While hyperscale public clouds grab attention, the majority of workloads and cloud infrastructure will continue to remain elsewhere for the foreseeable future. Enterprise private clouds are not only NOT disappearing but growing, spanning on-premises data centers, colocation sites and increasingly distributed edge sites. Tier 2 cloud service providers cater to local markets and provide services more closely tailored to their customers’ needs. Telecom service providers operate highly distributed clouds to support their network services.
These cloud operators all have two similar goals for their network infrastructure, goals that are so critical to remaining competitive that we can even call them mandates:
- Transform cloud networks to become as agile, highly available and simple to operate as the hyperscale public clouds.
- Move rapidly toward a new, more highly distributed networking and zero-trust security architecture to address increasing cybersecurity risks.
Unfortunately, achieving these goals is far from simple. Current networking solutions are not only insufficient, they are in many ways the biggest problem. The below datapoint, from The State of Data Center Networking: 2021 Annual Report, illustrates just that. The top two challenges in achieving a highly agile and available active-active or active-hot standby data center architectures are both related to network complexity.
When we dig into what, exactly, is the problem with the network, we see multiple components to the challenge:
- Cloud networking is fragmented and complex. Overlay networks are decoupled from underlay networks and fail to stretch across distributed clouds. Each cloud network has its own operations model, increasing operations cost.
- Security solutions are lacking. Today’s cloud networks demand distributed security, including micro-segmentation for zero-trust environments, to protect distributed applications against increasingly sophisticated security threats. Security appliances cannot scale cost-effectively to meet this requirement, while software-based virtual firewalls are expensive and compromise server performance.
- Visibility is an afterthought. Limited traffic monitoring and application visibility lead to reactive, slow troubleshooting. Separate monitoring networks add substantial cost yet deliver incomplete coverage.
- Automation is brittle and incomplete. Bolt-on automation tools and do-it-yourself (DIY) scripting are hard to implement and even harder to maintain. Multi-vendor incompatibility, script drift and lack of change control increase risks of outages or security breaches.
Let’s double-click on two of those challenges, security and visibility.
Distributed Security Challenges and Compromises
Today we find two primary approaches to solving the distributed security challenge and both of them lacking.
The first option is to extend the traditional security appliance model. One option is to add capacity to the centralized firewall, which has traditionally only inspected north-south traffic, and configure it to protect east-west traffic. This certainly adds cost, since most such firewalls are very expensive on a per-port or per-Gbps basis, but it also adds latency by requiring traffic “tromboning” to and from the firewall, and it creates capacity bottlenecks in the fabric. Replicating and distributing firewall appliances throughout the network can address the performance challenges, but quickly becomes cost-prohibitive.
The other approach to distributed security available today is a purely software-based virtual firewall model. With this model, the virtual firewall function runs on the CPU in every server. While this achieves the goal of distributing security close to the application, it comes with its own challenges. Software licenses for these virtual firewalls are almost as expensive as appliances and can easily add to up $60k per rack, typically much more. The virtual firewall also steals CPU capacity, by many estimates as much as 25-30%, reducing the capacity for applications. And perhaps most importantly, this model mixes applications (DevOps) and networking (NetOps) in the same CPU and creates an overlay networking environment that is de-coupled from the physical network. The result is operational complexity with multiple network operating models and poor definition of administrative boundaries. This approach can even introduce new security risks that didn’t exist before: hackers who compromise a server can quickly compromise the network as well.
In Search of Pervasive Visibility
Historically, visibility into network traffic flows has been incomplete at best and often treated as an afterthought. Network devices that can only sample a small fraction of traffic have to be supplemented with out-of-band monitoring approaches such as TAPs and aggregation networks. The high cost of this type of bolt-on monitoring approach has prevented many organizations from adopting it, and that cost barrier increases by an order of magnitude if one tries to extend the overlay visibility network to every server port to achieve truly pervasive visibility.
Pluribus has focused on avoiding these problems by providing built-in visibility tools, and we continue to make them more and more powerful, as demonstrated by our recent announcement highlighting the FlowTracker, KubeTracker and Virtualized Packet Broker features. As cloud network operators move toward a fully distributed networking and security architecture, this type of integrated approach will be the only way to achieve truly pervasive, application-aware visibility.
Meeting the Challenges with a New Vision
Clearly cloud networking needs a new vision and solutions that address all of the above challenges with a comprehensive set of capabilities:
- Unified and simplified networking
- Distributed security without compromises
- Built-in pervasive visibility
- Built-in SDN automation
On March 16, we are excited to host a major video broadcast event, Changing the Game for Cloud Networking, where we will unveil our new vision and solutions for cloud networking, including a partnership with industry leader NVIDIA, to address all of these challenges. Don’t miss it! Register now.