SDxCentral
Join Log In
SD-WAN 5G Edge 1 IoT SDN NFV Containers Cloud Security AI Data Center Storage APM/NPM Open Source

Log In to SDxCentral

Log in with your email? Forgot your password?
  • Newsletters
  • eBriefs
  • Podcasts
  • Webinars
  • Videos
  • Directory
  • White Papers
  • Resources
  • Use Cases
  • Support

Join SDxCentral and get information tailored to your particular interests everyday.

Join
Sponsored:
Dell EMC Citrix Riverbed

Container Management Simplifies SDN Application Deployment

Container Management Simplifies SDN Application Deployment
Juan Tellez July 18, 2016
11:21 am MT

Software-defined network (SDN) technologies have created the opportunity to simplify the way we approach the network and how it supports applications. But most companies that have acquired SDN technologies still look at the network in a way that retains its original point of view and, as a result, its original complexity. The resurgence of container management platforms has created the opportunity to manage the network from the point of view of the application, and to finally take advantage of SDN technologies to truly simplify application deployment.

One of the problems that SDN companies attempted to tackle is the issue of firewall rule explosion. Firewall access control lists (ACLs) are notoriously difficult to understand and process. For example, a customer I worked with at a former company had 50,000 firewall rules on a single firewall device and they did not know if they could remove any one rule without breaking an application! Load balancers have similar problems as firewalls. With hundreds of applications, come thousands of rules that must reside in a single hardware load balancer. Clearly, there is a problem.

One way to attempt to solve this problem is to create network application centricity. There are many network IT vendors that claim application-centric infrastructure and networking. Their view of the problem looks like a network administrator creating an application network flow by adding network objects such as firewalls, load balancers, filters, packet inspectors around an application running in a set of VMs.

Application Creation Flow

The diagram above illustrates how one networking company views the creation of an application. You start outside, go to a firewall, then through a load balancer (LB), then to an app (some VMs), and then through another filter to a database (DB). At each set, a service is inserted into the network flow. Each of those services then needs to be programed and maintained. By using SDN techniques to solve this problem, you get flexibility, but you still have the complexity of the network objects themselves. This complexity, implemented with hardware for each of those network objects is translated into a very difficult-to-manage and expensive system.

Other SDN companies have tried to solve this problem by replacing hardware devices with virtual machines (VMs). In this case, you end up with a VM running an application behind another VM running software firewall or a specialized packet analyzer. You then have to go to the network VM to create rules that relate to the firewall (e.g. open a hole for port 80, accept HTTP protocol, then 443, 4016 for a DB, then maybe 8080). This solves some problems, but also creates new ones – you now have more VMs in the network, and you have to link them together.

The virtualization revolution simplified system deployment but added a plethora of OS endpoints to the network. More VMs mean more IPs, more routes, more subnets, and more network complexity. It also increased the amount of east-west traffic, and generated the requirements for SDN tunneling and network isolation for application segments. It created more costs as new vendors entered the segment to solve the problems created by virtual machines.

What if you could stop thinking of the application’s needs in terms of network objects?

If you place the application in an application platform, specifically a platform that is managing containers instead of VMs, then you can begin to think of the application’s networking requirements from the point of view of the application.

Start with an application running in a container and define a name that will allow you to reach that application— let’s call that name the “route” to the application.

Application Platform with Policy-Based Network Controls

In the above diagram, you have two very simple objects, which are easily understood by an application owner and an administrator. The platform can now implicitly insert every network object needed by the application.

By applying policy-based network controls directly to the application, you can easily scale the application up or down, and the network objects will be added or removed automatically.

This model extends easily as you add more complex objects – like a database – to the model:

Application Platform with Policy-Based Network Controls

This simple structure is in fact a very sophisticated network topology. When an application platform manages the network object under the platform the software firewalls, filters, and load balancers all can be magically inserted into the network flow without having to consult the network administrator. Add a database and automatically get a filter.

This type of implicit network manipulation is becoming commonplace with container management platforms. These platforms are using SDN techniques to wire containers together along with firewalls, load balancers, filters, service discovery, and many other network functions. When done through policy, the platforms hide network complexity and create objects that application programmers can manipulate and exploit for ease of deployment, development, and operational simplicity. Containers + SDN + platform-as-a-serivice (PaaS) create a new paradigm for applications.

Related Articles

Service Provider SDN Deployments Near Universal IHS Markit Finds
Service Provider SDN Deployments Near Universal, IHS Markit Finds
Cisco Pushes ACI to AWS and Azure, Embraces ‘Data Center Anywhere’ Strategy
Cisco Pushes ACI to AWS and Azure, Embraces ‘Data Center Anywhere’ Strategy
Hauwei’s New Data Center Switch Uses Embedded AI Chip
Huawei’s New Data Center Switch Uses Embedded AI Chip
ONAP Casablanca Shows Up in ‘All the Gin Joints’
ONAP Casablanca Shows Up in ‘All the Gin Joints’
How-and-Why-to-Give-4G-the-5G-Treatment
How and Why to Give 4G the 5G Treatment
AT&T Likes That the ONF Brings Original Design Manufacturers to the Table
AT&T Likes That the ONF Brings Original Design Manufacturers to the Table
SDxCentral Daily News

Join your Peers! Subscribe to SDxCentral's Newsletter

Article Tags:

Contributed Articles Network Virtualization SDN

Subscribe to Get the Daily News!

About SDxCentral

  • Newsletters
  • About Us
  • Contact Us
  • Work With Us
  • Editorial Team
  • Careers
  • Legal
  • Support

Engage With us

This material may not be copied, reproduced, or modified in whole or in part for any purpose except with express written permission from an authorized representative of SDxCentral, LLC. In addition to such written permission to copy, reproduce, or modify this document in whole or part, an acknowledgement of the authors of the document and all applicable portions of the copyright notice must be clearly referenced. All Rights Reserved.

© 2012-2019 SDxCentral, LLC, All Rights Reserved. SDNCentral™, the SDNCentral logo, SDxCentral™, SDxCentral logo, SDxNews™, SDxTech™, SDx™, the SDx logo, and DemoFriday™ are trademarks of SDxCentral, LLC in the U.S. and other countries.

  • Terms of Service
  • Privacy