The holy grail of policy control is consistent, secure, end-to-end control. That means identifying users or end devices at the point they connect to the network, assigning policy, and enforcing that policy through to the end target. To do this requires managing that traffic through all the different parts of the infrastructure – LAN network, WAN network, data center network, servers, and down to the applications, no matter the location, even including multiple cloud infrastructures. That’s the real prize for software-defined networking.
One of the many things that makes this difficult is that traffic between end users and end applications typically traverses three very different networks: data center, WAN, and LAN. VMware’s NSX already handles the data center portion of this puzzle by providing network virtualization and segmentation for traffic within data centers. NSX extends to AWS and now also MS Azure to add control for total cloud, hybrid cloud, cross-cloud, and multi-cloud deployments.
Moving Policy Closer to Users
Which leaves the other two pieces of that data puzzle: WAN and LAN. These are harder to control. You likely do not own your WAN and so are subject to your providers rules. You may have multiple types of connections and multiple providers. And on your LAN, you probably have many categories of users and devices, many of which are out of your control. Fortunately, VMware’s acquisition of VeloCloud in December 2017, and the integration of it as NSX SD-WAN by VeloCloud, adds tools to extend policy control into the WAN and LAN (or user edge, for mobile and home office/small office users).
If you’re not familiar with NSX SD-WAN by VeloCloud’s model, it uses a combination of edge and hub appliances, managed by a cloud-based orchestrator. These appliances can be either physical or virtual, hosted on premises or in a cloud. SD-WAN in general provides the ability to use any WAN, or a mixture of WANs. Most SD-WAN solutions, including VeloCloud, allow load balancing between multiple WAN links based on policy, with consistent policies between sites.
Consider branch offices that have multiple types of traffic such as general corporate, guest, and protected. NSX will segment this once it reaches the data center – should it not also be segmented across the WAN? By using NSX SD-WAN you can set up BGP peering between NSX and the VeloCloud edge gateways so that routes are propagated across the SD-WAN per segment. Since that segment’s routes are the only ones associated with that end host or category or traffic group, that traffic can only access its appropriate segment of the data center. You can then extend the segmentation by leveraging NSX’s tagging and groups to create firewall rules. This gives you coordinated security from the WAN edge into the data center and to the application.
Policy can also be extended to users and user groups by leveraging VMware’s AirWatch mobile device management. This integrated solution takes the security groups from NSX and brings them into AirWatch. You then set up a policy within NSX SD-WAN by VeloCloud for how to treat that AirWatch traffic. When user tries to access data center resources across the WAN, then NSX SD-WAN by VeloCloud will optimize it and send it across the best link. Policies can be set for other types of traffic and applications also.
I was glad to hear that NSX SD-WAN by VeloCloud supports some virtual network functions (VNFs) at the edge gateways. As enterprises decentralize, it often makes sense to have some services locally. Using network function virtualization lets you leverage central policies to distribute these services such as authentication, routing, firewalling, etc. throughout the enterprise without needing additional hardware. This also helps with bandwidth use throughout the whole system, as this traffic is contained locally rather than backhauled through the WAN to the data centers.
Are We There Yet?
Accomplishing a true, end-to-end policy utopia requires a single policy creation platform and coordinated, synchronized policy enforcement points. I’m not necessarily talking about a single pane of glass, rather an integrated solution. In the current solution there is central control but multiple places to set and synchronize policy. The components are integrated in that they will talk to each other and work together, but there is not yet one definitive source for all policy truth.
At the recent Dell Technology World conference, Pat Gelsinger, VMware CEO, said that his vision is “a ubiquitous software layer from data center, to cloud, to edge.” I like the way VMware is delivering on this vision. The parts are coming together to connect and secure all the parts of modern data communication, with network services delivered in software when and where they are needed.