Tuning network virtualization functions for a DevOps environment
- By Michael Bomba
- Jul 06, 2016
The initial HealthCare.gov launch was a failure -- the complex design, business logic, acquisition process and technology exposed all the weaknesses of traditional government IT. In response to the mounting number of big-project failures, the General Services Administration and the Office of Management and Budget created 18F and the U.S. Digital Service. The goal of both of these initiatives is to have the U.S. government adopt modern best practices and technology stacks mimicking successful Silicon Valley companies.
Thanks to the guidance of 18F, the benefits of using an agile development methodology and DevOps for continuous deployment are increasingly well understood across agencies. Both are now key building blocks for modern government software creation and delivery. With the rapid uptake of government clouds, the infrastructure for software delivery is often geographically dispersed across multiple private data centers and cloud providers. Coupled with the fact that DevOps encourages developers, testers and operations teams to deploy infrastructure as they need it, this can lead to multifunction and multisite server and software deployments, which can be hard for those tasked with infrastructure management and security to control.
One aspect of this burgeoning infrastructure and security management issue is related to networking. Emerging best practices in networking are network function virtualization and software-defined networking. NFV allows generic hardware to be configured via software as the type of network equipment required for a particular function. SDN moves the management of the network to a software-based central controller and also abstracts higher-level network functions from the underlying network hardware.
These two practices deliver virtualization of network functionality in much the same way that we have seen servers and storage provision virtualized over the last decade. NFV and SDN make it easy to deploy network devices like load balancers, firewalls and other security infrastructure throughout the environment -- especially on networks using agile and DevOps -- because it’s easy to incorporate deployment into automated workflows.
In scenarios such as this, it is vital for security and consistency of the deployment and testing functions that virtualized networking components are set up with appropriate policy configurations applied. From a security perspective, it’s also vital that the correct permissions are applied so that only authorized persons are using the network functions and that the virtualized networking components are continuously monitored and shut down then removed when no longer required. This last step is essential to reduce the targets for those attempting to compromise a network. Old components that are no longer used may not get security updates, presenting a major vulnerability on a network.
The uptake of NFV and SDN virtualization of networking functionality, which was previously delivered via dedicated appliances, means that both must be incorporated into DevOps workflows. It is essential that there are continuous monitoring tools in place that can offer visibility, tracking and logging of NFV and SDN functions throughout all environments. It is also essential that they deliver management templates, scripts, role-based access control and tools that administrators can use to configure these software devices consistently in a sometimes chaotic DevOps environment. Ideally, administrators should be able to ensure that anyone deploying a virtualized network function within a DevOps workflow anywhere throughout the private or public cloud does so in a secure and consistent way. Administrators should also be able to get an overview of what is in use throughout the enterprise and be able to approve changes to standard configurations before they are exposed to external networks.
Most organizations that have adopted agile development and DevOps practices have a set of configuration tools and in-house workflows that are based on standard management tools and application programming interfaces. For example, Microsoft PowerShell is becoming the scripting language of choice for automation. Communication with development and deployment tools via RESTful APIs is also very common. Whichever underlying toolset powers a development and deployment workflow, the management tools for NFV and SDN that are adopted should be able to link into the same scripting tools and APIs. This allows the virtualized networking aspects of modern delivery workflows to be managed in the same way as other parts of a DevOps workflow.
Having a common set of management interfaces -- and preferably a single management view of all the parts of the DevOps workflow -- will make it much easier to ensure consistency across different environments and make all parts of the development and deployment workflow secure. This practice will pay dividends over time because everyone involved with the development and deployment of the software products will spend less time managing infrastructure and will have more time to spend on improving the products.
Michael Bomba is a federal solutions architect at KEMP Technologies.