A Single Policy Namespace

Virtualization Reality

A Single Policy Namespace

By Lori MacVittie, Senior Technical Marketing Manager  |  July 23, 2012

This article originally appeared in the July/August issue of INTERNET TELEPHONY

Policies governing delivery of and access to applications are often tightly coupled to the notion of IP addresses, leaving operations to grapple with a growing diseconomy of scale arising from the volatility of virtualized infrastructure and services.

Abstracting and virtualizing policies governing all aspects of application delivery provides a layer of flexibility at a strategic point of control that brings the economy of scale promised by virtualization and cloud computing back to the data center.

The Challenge

The problem with policies, particularly those governing access, is that they often start with the premise of a “from” and a “to”. Like legacy access control lists, such policies attempt to codify network locations as a foundation for determining access.

As the number of possible “from” increases, so do the number of policies. Likewise, as virtualization is introduced into the mix, the number of possible “to” increases, creating an exponential number of possible combinations. This increases the risk of not only misconfiguration, but simply missed combinations.

A common solution is to codify authentication and authorization in the resources. But when infrastructure services providing identity management are part of that equation and they become virtualized or require scaling, the embedded strategy falls apart; it becomes impossible to predict where the identity service may reside in the future. 

The Solution

One solution is to apply virtualization to the policy enforcement and decision points within the network to manage the volatility inherent in virtualized and cloud computing environments. A layer of virtual policy decision points, much like load balancing, enables seamless scale as well as transparent access and invocation of services.

This virtual policy layer becomes the end-point for policy services, a single policy namespace. By abstracting the end-point for these services they are always accessible, regardless of actual implementation. This is the power of virtualization applied to architecture – abstracting services into an agile, transparently scalable layer that returns the economy of scale by obfuscating the rapid changes in the underlying network topology.

Once such a layer is in place, variables required to ultimately determine access or other delivery-related policies, can be more effectively managed. The target is now a single virtualized end-point, simplifying the architecture and policies required to govern it.   

Virtualization as a Strategy

Virtualization has been appropriated such that it brings to mind only certain types of technology, but the broader concept of virtualization – abstraction – has been used within the network for much longer than hypervisors have existed.

It is that concept of virtualization that must be used to address challenges arising from the more common definition –volatility of network topology.

Lori MacVittie is senior technical marketing manager at F5 Networks (News - Alert) (www.f5.com).

Lori MacVittie is senior technical marketing manager at F5 Networks (www.f5.com).

Edited by Stefania Viscusi