t was four days of talking about networks, security and cloud connectivity 24/7, not only with like-minded people attending the event, but also including my own colleagues, it seems we can’t disconnect from work when we are having fun…
Like other Cisco Live events, there were lots of announcements about new technologies, new trends, and this year (obviously) there were lots of mentions to AI on how it can help to day-to-day operations. However, there is one recurrent topic that popped several times that is still relevant after all these years: network security.
It was mentioned during the event that the number one concern that network teams have today is security (sorry, I don’t remember the exact percentage of people concern about security) and how they can simplify security management and security deployments on their network. Managing security in north-south traffic has been a common topic for years and we have lots of solutions in the market that can solve that problem. However, for east-west traffic it might be a little more difficult…
On monolithic applications where bare metal servers or virtual machines are involved, communications and secure connectivity is not a big problem, there are lots of firewalls and similar solutions that will manage the security aspect on this type of connectivity. But what happens with modern containerised applications that are running in multiple Kubernetes clusters? And this was one of the main topics of conversation that we heard during Cisco Live.
What is the problem of containerised application connectivity?
Managing the connectivity of containerised applications and provide microsegmentation to applications that are running in multiple Kubernetes clusters, where some of them can be running onprem and others can be running on multiple different clouds is a problem, a real problem that is increasing the complexity of applications today.
The main issue that we face when connecting different cluster between them is that it is required to use layer 3 focused technologies such as VPN, BGP, ACLs or similar to manage the connectivity between the different VLANs/VPCs where our clusters reside. And to provide higher levels of security such as microsegmentation among these domains, the complexity of our network will increase exponentially, also increasing the operational costs and maintenance.
And today’s application owners are not focused on IP addresses or FQDN, they develop their applications using service names, namespaces…so there is a big disconnect between network connectivity and network security and how applications are developed. How can you define a firewall rule between two different clusters where only a specific container can connect to a specific service when the IP addresses within the clusters are volatile?
Seamless network segmentation on cloud native environments
There is solution to provide easily and rapidly microsegmentation on cloud native environments, although everyone I talked to during Cisco Live didn’t believe it at first! It sounded like magic!
First thing we need to do to understand how this technology works is we stop thinking on IP addresses and we thinking about how containerised applications work natively, i.e. work with containers and service names. Once we start working at this level, we can create different network segments between different namespaces and expose the services running in one cluster to another cluster (or clusters) of our choice.
What are the steps to enable this technology?
- We install an application gateway (or layer 7 gateway) on each of the namespaces that we want to connect, either in the same cluster or in different clusters (including different clouds).
- We connect these application gateways together creating different network segments, also known as Virtual Application Networks (VAN).
- We create policies on each of the network segments to expose the services where we want to allow connectivity within the same VAN. Only the services exposed will be reachable to other applications within the same network segment, therefore we are achieving microsegmentation of application connectivity on top of a Zero Trust Network.
Following these steps we manage to provide microsegmentation on containerised applications running in different clusters, located onprem and/or in different clouds, and with easy management and maintenance. So it's not magic, it's Hybrid Cloud Mesh.