The Role of Network Virtualization and SDN in Data Centers
Businesses and organizations of all sizes and types are going through several networking revolutions, and network virtualization is at the heart of them all.
The growing prevalence of ransomware and other side-spreading malware is causing organizations to rethink network security, including in the data center. This growth is helping to drive growing interest in zero-trust architectures. And the continued rise of DevOps and all of its ad nauseam descendants – i.e. NetOps, DevSecOps, SecDevOps and DevNetSecOps – brings the idea of infrastructure as code (IaC) to the fore.
So how do these initiatives fit into network virtualization?
Virtual networking in the data center is not new
Virtual networks are an evergreen concept, rediscovered or recreated regularly. Essentially, a virtual network system allows IT to overlay multiple logical networks onto a shared physical network. IT teams can implement virtual networks to separate subsets of endpoints for security reasons or to meet the needs of specific protocols or applications.
Network virtualization technologies date back at least to the 1980s and include Ethernet virtual local area networks (VLANs) and MPLS.
The typical data center swims in virtual networks. VLANs have been a standard feature of data center network designs for decades. Server virtualization has also become commonplace, used to create new layers of virtualization within and between host servers.
SDN: Yes, you do that
Software-defined networking (SDN) is based on the idea that the network controller and the data plane of the network – the part that actually moves the packets – should be separated from each other, allowing centralized control of the behavior of the distributed network.
SDN is not the same as simply centrally managing network switch configurations, as it assumes that the autonomy of data plane devices is limited rather than managed in harmony. Embedded in SDN, the idea is that any network can support a myriad of overlays and must be able to flexibly and dynamically control how ports are mapped to virtual networks and the services provided there.
Initially, SDN was designed as an open source strategy to gain more enterprise control over the network, both in the data center and on the LAN. The goal was to wrest control of network architectures from the tight grip of network vendors by making them independent of any vendor’s architecture and feature set.
Open, cross-platform strategies have spawned a myriad of implementations — Open vSwitch, OpenDaylight, Open Network Operating System, and others — and have made enough headway to drive vendors to mainstream the control plane-data plane model. These strategies have also inspired startups to adopt the model.
However, the first place companies adopted SDN was not in the data center, but in the WAN. Since around 2015, software-defined WAN has imbued enterprise WAN strategies with SDN concepts.
IaC: more ways and means to virtualize
The concept of overlay has now taken a deeper layer into the infrastructure, as the spread of software containers, like Docker, has created another layer of networking for inter-container communications. The connected rise of DevOps highlighted the idea of IaC.
The idea of IaC is that teams that deploy software entities to control virtual networks between containers and VMs should manage them the same way they manage other code artifacts in the environment. This advances a layer of virtual networks that are on the same temporary timescale as the containers they serve. It also results in new tools and concepts, such as the service mesh, to manage this virtualization.
Zero trust: an end state for virtualization
In a true zero-trust environment, only sanctioned communications take place on the network. A given application, user or terminal can only communicate with other applications, users and terminals for which it has received prior authorization. Thus, unless the environment has been informed that a specific conversation is allowed, the conversation is prevented.
At the network level, zero trust can be translated into a concept known as scope defined by software (PDS). With SDP, if endpoint A sends packets to endpoint B but B has not been prompted to accept packets from A, B ignores or drops those packets. For node A, node B is not visible on the network. If B and A are allowed to communicate, they do so through an encrypted tunnel. In this scenario, every communication takes place over a point-to-point virtual network, a two-node VLAN.
Moving Forward with Virtual Networking in the Data Center
The way forward for virtual networks in the data center lies in the transition from manually managed VLANs to policy-based virtualization. This transition will happen via cross-platform SDN controllers and tools for automating – albeit likely from a vendor and not open source – service meshes and IaC. Zero-trust requirements, the shift to containers and microservices, and increasingly tight time constraints on network engineers will make this change a necessity.