Software Defined Networking with Advanced Application Delivery
Organizations are striving to become more agile with the role of IT becoming paramount in importance. Fast roll-out, control and optimization of a wide variety of applications drives revenue, competitive advantages and customer satisfaction. These apps must be optimally delivered and secured regardless of where they reside-on-premise or in public, private or hybrid cloud deployments.
In attempting to achieve agility enterprise networking teams have been plagued by two significant concerns. First, such environments have an inherently large scale, shared infrastructure, yet the network architecture is typically static in nature. When IT on-boards a new application or equipment upgrades are made or is simply scaled up, things may not go as planned. Applications can “break”, logjams occur, SLAs not get met and finger pointing starts. Virtualized computing and storage have only upped the ante. A second issue is the overall lack of application awareness and the difficulty of supporting advanced networking and security services.
Operations have partially overcome the resulting bottlenecks by eliminating hierarchical oriented designs. Some IT groups eradicated switch based network segmentation and instituted a flat, Layer 3 network involving leaf/spine solutions with more routing. Others leveraged overlay networks on existing Layer 3 networks by turning to Virtual Extensible LAN (VXLAN). An overlay network is a virtual network that is built on top of existing network Layer 2 and Layer 3 technologies to support elastic compute architectures. Flattening the network makes it more flexible and better able to handle virtualized computing, but does not go far enough.
The upshot is a network that does not have the ability to automatically change traffic flows in a dynamic way. High level visibility to forward packets based on the nature of the traffic present is missing. Administrators are required to manually deploy, configure and maintain numerous elements with ever changing needs. To make matters worse, organizations must massively overprovision their “static” network to handle transient spikes and therefore run at maximum capacity at all times; regardless of actual need.
Software Defined Networks
A key to solving this conundrum is to move to Software Defined Networks (SDN). SDN promises the ability to better utilize assets, dynamically adapt to throughput needs and to perform traffic engineering with an end-to-end view of the network. In legacy topologies, control and forwarding functions are inextricably coupled within the network routers and switches resulting in inflexible designs. By separating the forwarding and management functions SDN provides the ability to scale resources and substantially improve agility while lowering costs.
In decoupling the data plane from the control plane, the data plane can now be directly programmed, support open, standards-based APIs and can use lower cost white box routers, switches and other elements. Network operators can centrally configure, manage and monitor resources with a network that is programmed based on the distinctive needs of the specific applications and traffic profiles present.
Application Aware Network and Security Services
To get the most out of your software defined datacenter you need to deploy networking and security services that have the requisite app visibility. Adding secure application services provided from Application Delivery Controllers (ADC) can help realize the goal of a dynamic “app aware” network with advanced capabilities. These secure application services integrate the following in scalable, high capacity, physical, virtual, bare metal or cloud-based appliances:
- Web and app server availability. Advanced full-proxy load balancing and content switching with customizable server health checks and Layer 7 scripting redirects requests to the appropriate server. An added benefit is the elimination of server sprawl.
- Disaster recovery and business continuity. Global server load balancing extends load balancing on a global basis to enable worldwide business continuity with faster, localized server responses.
- Multi-tenancy. Over 1,000 application delivery partitions (ADP) offer the high-density, multi-tenant solutions for customizable per-app policies and appliance consolidation.
- Secure communications. SSL Offload with Perfect Forward Secrecy and the most extensive cipher suite, including Elliptic Curve Cryptography (ECC), provide SSL offload at the industry’s highest levels.
- Rapid content delivery. Application acceleration including caching, compression and TCP reuse combine to expedite content transfer for enhanced performance. Interoperability with protocols such as selective acknowledgement, client keep-alive and window scaling improve transmission efficiencies.
- Protect vulnerable web and DNS servers. Secure services and meet compliance targets with an ICSA-certified web application firewall and DNS application firewall, DDoS protection and bandwidth control with rate-limiting.
- Access control and single sign-on. Allow external client access to web portals, internal resources and mobile BYOD devices while maintaining security. Integrates with authentication servers, identity data stores and identity providers and OCSP responders to validate client certificate status as well as Microsoft Active Directory for SharePoint, Outlook and other apps.
As the need to scale and monitor ADCs arises having a solution for overarching control and intelligent orchestration of these secure app services with granular visibility and analytics is paramount. This enables the realization of fully automated workflows to increase efficiencies, expedite app deployments, lower troubleshooting times and minimize TCO. IT can obtain:
- Coordinate and distribute policies and files. Automatically discover, track and monitor each appliance, partition and users. Configure backup and restore operations and schedule software updates.
- Self-service and automation. Improve agility and efficiency by eliminating the need for IT administrators to set up and configure per-application infrastructure. Automatically provisions, controls, manages, and elastically scales app services as demanded by dynamic workloads.
- Enable bimodal IT. Utilize a provider-tenant model to empower line of business owners to manage application delivery policies with visibility while ensuring oversight from a central IT team.
- Granular visibility. Generate insight into hundreds of aggregate or per-request metrics in real-time for user experience, end-to-end latencies, contextualized traffic profiles, anomalies, malicious intrusions and server health and utilization levels.
- Leverage machine learning and artificial intelligence. Proactively and automatically modify, provision and configure new app service instances and policies. Reduce troubleshooting times by over 80%.
Next generation ADCs are in effect a new application router that provide a top-level blueprint that is both user and application centric. These systems parse usage patterns in the context of user identities, applications in use, type of access device and even time of day to build granular context-aware access control. SDN enables administrators to leverage service insertion and service chaining to dynamically steer traffic flows through a sequence of ADCs with these L4-7 services. Additionally, this approach overcomes the added expense and the error-prone process of cobbling together disparate point product solutions.
To ensure a cohesive ecosystem, networking and security solutions need to support open and standards-based programmability. Comprehensive management and monitoring should be accessible from vendor neutral APIs — providing interoperability with automation, orchestration and analytics. If application networking platforms support RESTful APIs, then administrators can quickly integrate them with other services and management systems. Thunder ADCs are 100 percent programmable through their REST-based aXAPIs that integrate with a broad range of platforms beyond SDN controllers such as popular DevOps and CI/CD tools including Ansible, Chef, Puppet, Jenkins, and SaltStack.
Dynamic Application Delivery Controller Scaling
Such interaction allows for dynamic scaling of ADCs where user-flows are redistributed on-the-fly among the available ADCs when they get added or removed. The available ADCs are fully synchronized and are aware of one another’s flows and instruct the SDN controller to distribute the user traffic amongst them.
If an ADC suddenly is presented with a flow that causes it to work at near-maximum capacity, it can instruct the controller to temporarily reduce traffic and send new flows to other ADCs in the network. As traffic demands grow, the controller can instantly spin-up a new ADC instance while keeping the existing physical or virtual appliances in place and the controller balances new flows according to their capacity.
How A10 Networks Can Help
Datacenters of all types are moving to utilize software-defined networking methodologies to overcome the legacy static topologies that no longer suffice in a modern world. While SDN is gaining adoption and the use of the associated network function virtualization (NFV) is well established, the advanced secure application services from application delivery controllers need to be factored in. A10 Networks has an extensive array of secure app services from our Thunder ADCs that are proven interoperable with SDN/NFV in the real world.
A10 Networks supports infrastructure automation by combining with cloud orchestration platforms. Plug-in service modules are leveraged to instantiate, configure and monitor the ADCs; which in turn enable automated L4-7 services provisioning by integrating with cloud orchestration solutions such as those based on OpenStack, Microsoft System Center Virtual Machine Manager, and VMware vCloud Director. These modules allow dynamic enforcement of centralized tenant policy as new workloads and application services are created.
Thunder ADCs can allow network engineers and system architects to write their own policies or provision scripts themselves. This empowers IT to tailor automation policies for their application needs. For example, an administrator can use SDN orchestration tools to direct users with mobile browsers to mobile application servers. As new mobile application servers are brought online, the load balancers could adapt and forward mobile traffic to those new servers.
A10 Networks application and service delivery platforms are capable of integration into real world SDN environments, comprised of programmable routers and switches, including those based on OpenFlow, and a variety of controllers, such as those from Cisco APIC, VMware NSX, IBM SDN Virtual Environment and NEC Programmable Flow Controller.
- Deutsche Telekom case study how they utilized SDN and NFV in piloting TeraStream, an all-IP network that delivers triple-play and other services from the cloud, as a model for next-generation operator networks.
- Light Reading’s report on SDN & NFV. Have SDN and NFV strategies made the impact originally imagined? In an exclusive market update, Light Reading editors explore the original expectations of SDN, NFV, and open source, and where the models may stand in 2017.