Software-defined data center (SDDC) solutions provide over-taxed IT teams with the promise of virtualized, automated solutions to host data across clouds and deliver applications using intelligent software that eliminates manually intensive provisioning and operations work compared with a traditional data center. But for security-minded IT professionals, there also is an opportunity to remove complexity and immediately gain modern, stronger policies.
The data center and networking are the passageways that enables critical business functionality to end users.
Applications, users, services, and even entire business units are all dependent on capabilities of the data center and its underlying network infrastructure. As the world shifts to an era of digital business, in which business units need to be agile and adapt quickly to market conditions, more and more applications are being built and deployed that are considered “distributed,” taking advantage of physical resources of more than one cloud or private data center.
In the world of modern distributed, scalable applications combined with complex regulatory environments, legacy physical data center operations can be limiting to security and performance design principles. This has led to an immense growth and investment in public and private cloud technology.
VMware, the dominant enterprise virtualization platform and a CenturyLink alliance partner, has stated for many years their vision is to enable any cloud, any app, any device. To support this vision VMware has launched products that enable users to deploy VMware-based apps into hosted clouds such as AWS or VMware Cloud (VMC) as well as their VMware Cloud Foundation™ and Cloud Verified program, a program which CenturyLink has developed products on and is part off.
These products take advantage of a software defined data center (SDDC). SDDC is a combination of all the virtualization efforts that include virtual storage, virtual networking, virtual security, and virtual compute environments all rolled into one easy to manage integrated enterprise package.
VMware Cloud Foundation provides end users with a validated set of configurations and software defined capabilities for which to rapidly deploy VMware fully virtual and integrated (hyper-converged) data center hardware and software. In addition, VMware’s Cloud Verified program provides a consistent methodology to build a high value, high standards-based ecosystem for which service providers are audited and strive to become part of. This ensures that when you see the logo you know that a service provider, like CenturyLink, has been tested & worked closely with VMware.
Dealing with growing complexity and using the cloud
In legacy data center designs perimeters were built around physical workload domains. One application had a discrete set of hardware design principles, such as firewalls, load balancers, and compute. Often connected by a service bus or middle-ware, security was heavily oriented on north south traffic or in/out of the data center with custom applications having thousands if not millions of open ports for which to communicate across the data center for east-west traffic. This traffic often left a physical domain, passed through a physical firewall and into another physical domain for packet inspection.
This led to underutilized server resources, many physical fault domains, and physical hardware variations with varying methodologies of security and networking guidelines. Long story short — your environment became very complex. Now you are asked to use 3rd party hosted public and private clouds. How do you cope with change?
Moving past legacy data center security and networking designs
SDDC principles using VMware Cloud Foundation provide data center and networking managers the ability to build using a consistent methodology universally. This involves creating networking policies that are logically bound to applications and not the other way around.
With all the growth around cloud and the digital workspace software, the network is a critical component to enable secure efficient delivery of dynamic cloud applications to end users as well as enabling efficient communications between clouds.
The evolution in networking includes integration of network with hypervisor platforms such as VMware ESXi, the integration of public clouds such as VMware Cloud on AWS (VMC), and network virtualization features under a networking platform VMware calls VMware NSX™.
Software-defined networking (SDN)gives administrators a completely new way to view, manage and secure networks that correspond to virtual environments. That is networks that support application environments that transcend infrastructure and cross physical fault domains as well as enabling fully discrete virtual perimeters that do not need to hair-pin outside of a physical domain to be secured by a physical firewall or network device. Thus, considerably increasing performance of east-west traffic by maintaining traffic within virtual environments running on higher performing hyper-converged computing stacks.
This also means management of networks happens at the VMware layer, thus logical constraints of the physical world are mitigated and integration of networks into hosted clouds is now more easily achieved. CenturyLink provides a complete direct networking solution set for connecting into most cloud providers at layer 2 or layer 3 to facilitate these virtual networks called Cloud Connect.
[Graphic of virtual environments within virtual perimeters]
Effectively VMware Cloud Foundation and its associated software defined data center management products enable users to deploy and manage applications the same way regardless of physical hosting environment from cloud to edge, regardless of location and to logically partition them into fully enclosed environments. This methodology is called Micro-Segmentation, a fully software defined controlled environment that can be controlled and ultimately automated to dynamically adjust to the needs of the business.
Securing across physical domains
If you take advantage of the VMware Cloud Foundation and NSX, you enable much greater capabilities to design a hybrid-hosting environment. That is to extend your logical networking and security domains across physical hosting environments such as VMware Cloud on AWS and have it behave as part of your SDDC environment. Because you are no longer tied to sending traffic through physical routing and security devices in a data center for Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and other network functions, you are no longer limited by networking and physical performance limitations of legacy hosting.
This means a consistent security policy management system within your SDDC that is bound to applications from cloud, to cloud to edge device. Allowing you to maintain a specific level of traffic and context aware rules that are discretely tied to applications and not the hosting environment its runs on.
This also means that regardless of physical environment, applications can carry discreet context aware policies and security managers can monitor individual application sessions such as and user context on connections such as virtual desktop. In addition, security policy parameters such as PCI or HIPAA can constrain all workloads to very specific parameters.
In addition, with SDDC running on VCF customers can add third-party Next Gen virtual network and hyper visor functions in NSX that provide additional functionality such as advanced security at the hyper-visor layer where needed, thus limiting wasted resources and simplifying security by integrating it directly into the virtual layer improving performance and reducing the time to mitigate attacks down to the individual user and application.
Imagine baking the anti-virus functions into the hyper-visor or better yet content and intent aware security functions into virtual environments as needed, wherever they run from leading vendors like Palo Alto or Fortinet.
Securing dynamic environments
Once you have created micro-segmentation policies for your workloads, you’re only a few steps away from being able to take advantage of automation to create threat mitigation routines that take advantage of advanced application insights that are generated by SDDC. A security manager can monitor advanced application traffic across the virtual and physical domains, adjust as needed to micro-segmentation policies as well as quickly defend against attacks in real time.
For example, if you have a virtual machine (VM) that is running an anti-virus package or virtual firewall that detects an attack a security professional could automatically delegate that VM into a virtual network and DMZ, either manually or by creating the action within the policy to act and route network and computing power away from the infected VM thus mitigating the threat in the data center almost immediately. Thus, if your computing capacity is impacted, if you employ a VMware hosted cloud as part of your disaster recovery strategy, you could dynamically route burst traffic to a stand by node in case your private data center encounters a breach.
The SDDC allows you to drastically improve security not just for north and south bound traffic but providing designers a whole new level of control and freedom for east-west traffic.
However, unlike many other technologies that force customers to have to rebuild applications from code out, Micro-segmentation and SDDC allows you to apply the technology without a radical re-build of all applications and apply modern security policies immediately as you are likely already running VMware workloads. This is truly a transformative technology for security minded IT professionals that are tasked with using more and more physical hosting environments and securing networks across them with their own hosting environments.
CenturyLink has invested in the development of software defined data center products that take advantage of agile IT platforms such as VMware Cloud Foundation. Our CenturyLink Private Cloud on VMware Cloud Foundation™ is a validated design jointly created by our product teams and VMware teams to achieve Cloud Verified certification. We are also an AWS certified MSP, resale and direct connect partner.
This means as you move to SDDC designs and look to take advantage of the security and portability of VMware Cloud Foundation, you can look to CenturyLink to help you scale and reach your digital business goals wherever you are on that journey. Our thousands of certified professionals and enterprise account teams can help you get there while our network will connect you from any of our 2200+ on net data centers and 100k on-net buildings to the nearest hosted private cloud location of your choice.
This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. CenturyLink does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user.
This document represents CenturyLink’s products and offerings as of the date of issue. Services not available everywhere. Business customer only. CenturyLink may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2018 CenturyLink. All Rights Reserved.