Beyond SDNs – Networking & Security in 2013
We will look back on 2012 as the year that ushered in a new era of networking and infrastructure security in enterprise and cloud datacenters, driven by the software defined datacenter vision. In my last post, I talked about some of the key technology advancements that VMware announced at VMworld – a truly progressive line up of software-defined networking and security initiatives.
The acquisition of Nicira was the “shot heard around the world”, bringing together leading network virtualization solutions for both VMware and non-VMware stacks. And it’s clear that VMware, along with our ecosystem partners, can massively simplify the way customers provision and consume networks at scale, in private, hybrid and public clouds.
As I look ahead to 2013, certain trends begin to take shape – and only time will tell how many of these are here to stay. Here are my predictions for next year:
Prediction #1: The software-defined datacenter vision took the industry by storm in 2012. It represents a prescriptive model that brings the benefits of virtualization to the rest of the datacenter. Expect to see the move towards a software-defined datacenter accelerate in 2013. Networking and infrastructure security represent some of the stickiest issues when it comes to the drive to a more agile data center. And because of this strong customer interest in SDDCs, you’ll also see more networking vendors and startups modify their roadmaps to steer towards a software-defined networking strategy.
Prediction #2: In 2013 we’ll see network virtualization established as the real goal of SDN. What we’re really after is the ability to provision networks and network services on demand, instantaneously in the context of a compute/storage standup, and be able to do so without requiring manual configuration/re-configuration of the underlying infrastructure. The following simplified cloud consumption model depicts what network virtualization is all about – enabling the consumption of L2 and L3 networks logically to support compute & storage connectivity needs; likewise the consumption of L4-7 services, gateways to physical networks and the internet. This consumption model can be leveraged by various cloud management systems, like vCloud Director, Open Stack, etc.
Prediction #3: 2013 will also herald the wholesale virtualization of network and security infrastructure services, including firewalls, load balancers, IDS/IPS systems. We have seen the initial signs of this trend in 2012, and I expect to see this continue un-abated in 2013. One ramification of this trend is the de-fragmentation of security services. Historically, the security industry has been extremely fragmented – with perimeter security, network security, workload/guest security, data security, app security, user security. With virtualization and cloud consumption models, we will begin to see several of these functions come together in the virtual/cloud plane, as depicted in the illustration above.
Prediction #4: In 2013, we will see the emergence of a network virtualization solution across hybrid cloud stacks, like VMware vCloud, Open Stack, and Cloud Stack. We know this is desired by cloud operators who have multiple stacks, yet want a common network virtualization solution. Customers are also asking for this as they move towards a multi-cloud world. With the integration of the VMware and Nicira teams, this is an exciting area of focus for us.
Prediction #5: We’re also beginning to see the evolution of the physical network fabric in cloud and enterprise datacenters. Historically, service provider datacenters were L3-centric, while enterprise datacenters were L2-centric. L3 has the benefit of scale and fault detection, while L2 nicely supports enterprise apps that rely on broadcast domains (Microsoft apps, vMotion, etc). In 2013, I expect to see the architecture depicted in the graphic below within cloud datacenters (enterprise or service providers). The physical network fabric is becoming fast, flat and fat (see this prior post), with L3 to the Top of Rack (ToR), full mesh, with ECMP to effectively leverage all the paths between the leaf and spine. We are also beginning to see the leaf become dedicated to workloads (C=Compute, S=Storage, P=Physical) or to services (M=Management functions, FW=Firewall, LB=Load Balancer), per the following illustration. This “butterfly” architecture provides a lot of flexibility and simplicity in the realization of datacenter racks.
Prediction #6: What about L2 services in the above architecture? That question brings us to the next major trend – 2013 will be the year of L2 overlays. Millions of dollars have been poured into overlay technologies like VXLAN, NVGRE and STT, and we expect to see the entire industry release products (if they haven’t done so already), whether they are NICs, ToRs, or hypervisor support. L2 overlays over the L3 fabric above will become an important pattern in the data center. While there can be debate on the overlay technology, the more important observation is that L2 overlays over “L3 to the rack” architectures are a compelling tool in the war chest. You can read more about tunneling in this recent post by Martin Casado and Bruce Davie.
Prediction #7: The tools used by the new guard are beginning to evolve too. REST becomes the new CLI. Chef/Puppet become the new Perl/bash. In 2013, I expect that the centralization of control e.g. SDN controllers, will lead to chef/puppet/rest recipes beginning to replace those timeless network engineering scripts. The exciting news for network engineers in enterprises as they evolve to becoming “cloud architects”, is that they can now create recipes to build out service provider style transport networks with minimal configuration churn and potential for “fat fingering,” yet rapidly provision L2 over L3 overlays & virtualized L4-7 services to meet the demands of their business units or application developers.
Prediction #8: I expect we’ll see software-defined security infrastructure get the same kind of attention in 2013, that SDN had in 2012. With the move from web browser-server architectures to mobile-cloud architectures, classic security paradigms based on desktop security and web server security must evolve to focus on security within the cloud i.e. authentication, authorization and tenant edge security at the cloud tenant edge, and logical security within the virtual datacenter. Likewise, the evolution of network virtualization offers a new substrate to logically insert netsec services, all automatable into CISO-friendly workflows.
Next year promises to be an exciting time for the industry – one packed with disruption, innovation and transformation. Wishing all our readers a wonderful 2013!