Policy Replication in Virtualized Networks

Virtualization Reality

Policy Replication in Virtualized Networks

By Lori MacVittie, Senior Technical Marketing Manager  |  June 04, 2012

This article originally appeared in the June 2012 issue of INTERNET TELEPHONY

A core benefit of a virtualized network infrastructure is flexibility and scale. Scalability models based on virtualized instances of infrastructure rather than on physical devices tightly coupled to IP addresses allow such solutions to break out of the traditional N+1 scalability model – a model that while not incompatible with cloud computing and highly virtualized data centers is nonetheless sub-optimal.

This is particularly true in networks where a very high rate not only of change but volume is often experienced. For example, service provider networks see ebbs and flows of traffic bursts and declines throughout the day during fairly well-understood time intervals. When shared resources are the norm, this reality often translates to congested networks and poor user experiences, as attested to by those who suffer degrading performance at home about the time the local high school lets out.

Organizations, too, suffer similar time-predictable performance degradations. The sudden influx of a large number of employees logging on in the morning at the beginning of a shift can unduly tax not only the service being accessed and its dependent services, but the network itself.

It’s only natural that those responsible for the network turn, as server administrators and architects did, to virtualization as a means to combat the need for elasticity in the network throughout the day.

The problem, however, is a bit more complex than merely transitioning from a hardware-based network to a virtualization-based network. Cloning an image of a load balancer or a Diameter component may be easy. Provisioning may be as simple as pushing a button. But replicating policies appropriately? That may be a completely different ball game.


Policy Replication

It is important to recognize that a plurality of the services offered by network infrastructure is based on policies – policies that govern access, that determine legitimacy, that steer traffic one direction or another. These business-influenced operational policies are vital to the core function of many infrastructure services.

As organizations consider transitioning to a more virtualized network infrastructure they must be aware of the ties that bind and gag network infrastructure arising from its hardware roots: IP-based configuration.

Network infrastructure configuration is often tightly coupled to IP addresses, making it much more difficult to clone and provision virtualized instances of the same infrastructure without additional processes that address this binding. All too often it is not just configuration that needs to be modified, but policies as well, as they have long been tied into their IP-based configuration foundations.

What’s necessary to enable a more virtualized network infrastructure is to decouple policy from configuration (and thus IP dependencies) and enable a more portable policy system, one that makes it possible not only to replicate policy on-demand within the organizations’ network, but across environments as well.

Enabling Standardization

Decoupling policy from IP dependencies would enable standardization of IP-dependent configuration methods. A network infrastructure-wide set of IP-specific APIs that allowed IP configuration updates at boot time would better be able to keep up with the volatility of a highly-virtualized data center and reduce the operational costs by eliminating the need to develop device-specific scripts to modify IP dependencies in newly provisioned virtual network infrastructure instances.

This then allows policy to be replicated to newly provisioned network infrastructure instances without concern for IP dependencies, which ultimately means intra- and inter-network portability of policies. The result is policy replication and management systems that are less complex, more efficient, and highly consistent – reducing the possibility of errors introduced by scripts or manual changes.

Such a system also enables the ability to deploy rapidly new policies that address emerging risks such as zero-day exploits or malware outbreaks. Policies that guard against such risks can more quickly be propagated across a network infrastructure if they require no subsequent modifications.

The portability of network infrastructure policy is critical to the ability of any organization to take advantage of emerging virtualized network infrastructure solutions. Operational consistency and risk mitigation require meticulous adherence to policies governing traffic. In highly volatile environments such consistency is best realized through replication on-demand. That requires that policy be decoupled from IP-based configuration dependencies first.

Lori MacVittie is senior technical marketing manager at F5 Networks (News - Alert) (www.f5.com).

Edited by Stefania Viscusi