Demystifying cloud-native networking
The most important evolution in IT over the past few years has undoubtedly been the rise of cloud-native application architectures.
There has been a steadily growing awareness of the benefits to be gained from deploying loosely coupled microservices using containers, says Guy Matthews, editor of NetReporter, for the most part orchestrated with Kubernetes. The likely trend for the foreseeable future is for more and more workloads to leverage technologies like these.
“Perhaps what is less understood are the implications for the networking and connectivity needed to support these environments,” says Brad Casemore, VP research, datacentre and multicloud networking, IDC.
He notes that by no means all of the enterprises going through a migration towards cloud-native compute have a network that is fit for purpose, “When it comes to cloud-native application environments, and supporting the needs of developers and DevOps teams, networking can be complex,” he says. “Kubernetes has specific network requirements, as do native architectures, and many of them are beyond the scope of traditional network infrastructure.”
The complexity becomes especially acute up at Layer 7, says Casemore, “It’s at the application layer where microservices connect to one another,” he explains. “It’s very important to understand how the network needs to be adapted to meet these requirements. Containers are obviously changing how applications are developed, but they’re also changing how applications connect to each other.
Most of the container focus has been on orchestration. But the network is also critical for these production deployments and must have cloud-native attributes. It has to be intelligently automated, elastically scalable, and secure. And there’s a greater need in this environment to have visibility and observability because of the dynamism of containers.”
To get a view from ground level, Casemore spoke to a selection of stakeholders in the cloud-native industry. Thomas Graf is co-founder and CTO with open source development specialist Isovalent, creator of Cilium, a popular cloud-native networking project.
He has noted a lot of investment by enterprises into meeting the unique requirements of cloud-native environments, “Some of these needs are obvious, around things like scalability and performance,” he observes. “It won’t be long before the number of container network ports worldwide exceeds the number of virtual ports in virtual machines, similar to the move from physical servers to virtual machines. There are therefore a number of transformations that need to happen.”
Galeal Zino, co-founder & CEO of Zero Trust platform developer NetFoundry, has his own take on the challenge, “I wouldn’t say our customers are looking to modernise their networks, I would say they are looking to eliminate their networks,” he claims. “They are trying to develop and deliver secure applications, but in a far more agile, extensible, high velocity manner than they were able to do on prem.
They therefore need programmable secure application connections. Instead of essentially moving the network to the cloud or modernising the network, the challenge is more like how to get rid of the network. The network is a means to an end, at the end of the day.”
Pere Monclus, VP and CTO of networking with software developer VMware, is in broad agreement, “When you talk to customers that are thinking in terms of cloud model map transformation, they stop thinking of the network as a standalone entity,” he says. “It’s not about compute, storage and networking, or ports, switches and routers. It’s about choosing an application platform to run applications. How do I run application resiliency, how do I get consistent security across multiple environments, how do I have on demand elasticity of my applications, how do I bring a solution observability to my apps?”
Zino of NetFoundry sees security as a central cloud-native challenge, “The reality in today’s world of massively distributed applications is dealing with threats like the recent spate of ransomware attacks,” he believes. “The only way to do this at scale, with automation, is to do it with code in an intentional built-in manner. You can call it secure by design or Zero Trust. There’s no way to securely deliver applications in an agile automated way without actually putting that code directly into the app from the start.”
We are headed for a world of distributed computing and the processing of workloads across a spectrum of compute, from far edge all the way to cloud, envisions Zino. “We’ve often been in the position of having to choose between either really strong security and agility and automation and business velocity,” he says. “Done right, we don’t have to make that compromise. That means doing everything as code, abstracting away from security networking infrastructure, and actually being able to avoid a choice between security and agility, instead having both as programmable constructs.”
Not every enterprise, of course, is approaching the challenge of cloud-native connectivity from a Year Zero perspective. Monclus of VMware believes many enterprises are still divided between on prem environments and cloud environments, “Ideally all roles should work together to achieve an end-to-end networking experience, from physical to virtual, to service meshes,” he says. “But in certain cases you still have a traditional networking definition, and that’s fine. But it can create tensions.”
One big question when approaching cloud-native migration is do you buy a solution in, or build it yourself? Graf of Isovalent has seen cloud-native projects where the solution has been almost entirely developed by an end-user. In other instances the user is looking to buy, “We’re also sometimes seeing a mix,” he adds. “To me what connects it all together is the open source component. The model that we see more frequently and more successfully is when customers find a way to successfully work with cloud-native vendors together, but also gain influence into the future development of the product. Cloud-native is still a very young market, so there is still ample possibility and opportunity for customers to influence and drive the product forward. That’s been our approach to developing our solutions.”
Zino of NetFoundry agrees that the two migratory approaches buy or build are not necessarily mutually exclusive, “They’re very complimentary and supplementary,” he says. “If I take NetFoundry customers as an example, they’re leveraging both our open source as well as our services. For us, it’s about making sure that our customers don’t need to choose between security and agility, and that’s fundamentally the most important problem they have. If they can have both agility and security, then they can win as a business.”
Monclus explains that VMware is working to help small and medium enterprises to transition to cloud-native principles in a secure manner, “We’re approaching it in two ways,” he explains. “As a platform transformation or as a component transformation, depending on the problem that the customer may have, addressing it both ways, and with a strong spin of offering the products and services, SaaS and on prem, with on prem licences.”
Graf of Isovalent says the company created its Cilium project with very much this intention in mind, “The overall goal is for application teams to have the same user experience, whether they deployed to a local laptop, or to a multi cluster Kubernetes environment at massive scale,” he says. “From a user experience it should be the same. Networking should not be an added complexity.
In order to implement and provide this there are a lot of requirements that come up from a networking perspective. We are providing a universal network plane that works exactly the same across different cloud providers, whether you’re in the cloud or on prem. We’re decoupling that and adding a connectivity layer on top. Even more important are additional security requirements that have been mentioned by others, so that’s Zero Trust, least privilege. It’s about being able to run the same network policies in a Google Cloud or in an Amazon Cloud. It’s the ability to understand service identities instead of talking about network endpoints, but also from an overall observability perspective.”
Graf says the need for observability has gone well beyond what observability solutions have provided so far, “We can go deeper, and understand the processes inside of a container, such as which individual process has done what at the network level. That’s the level of granularity and visibility that security demands these days.”
But in the final analysis, have enterprises truly started to embrace cloud-native at C-level? Are we talking a common senior management currency yet, or something still below the radar?
“There’s a broad spectrum of enterprise sophistication,” believes Casemore of IDC. “Some have adopted cloud-native application environments extensively, and C-level executives in those organisations understand the benefits and value associated with that transition, and other organisations are just getting started, and they have yet to fully grasp the opportunities and challenges that are inherent in the shift.
The vast majority of enterprises are relatively early on their journeys, and more work needs to be done by the industry to promote a complete understanding of the benefits and implications of going cloud-native. That includes communicating exactly how networking must adapt to meet the challenge.”
The author is Guy Matthews, editor of NetReporter.
21 June: Demystifying Cloud-Native Networking.