If you ask 100 people what the term policy abstraction means, you’ll get 90 different answers. But policy is a significant development in networking. The concept had its roots with service providers when they tried to turn up millions of broadband access or cellular customers, and then make changes to their services without breaking the network or exposing security leaks.
Network policy is now part of the enterprise domain due to the cloud and the need to solve similar challenges of attaching lots of dynamic endpoints through templates rather than manual configuration. Networking needs to be easier to consume so that non-networking folks can get the connectivity they require in an on-demand fashion.
The network provisioning bottleneck
In most data centers, network configuration is still done on a device-by-device basis and is very tightly aligned with the physical architecture. Therefore, the configuration is hard to normalize so it ends up a very manual process that is error prone and not easily auditable. And the process for non-virtualized “bare metal” servers does not apply to virtualized environments.
Compute and server virtualization has helped tremendously with automated provisioning and migration of virtual machines. But in most cases, even those where a virtualized network switch is part of the hypervisor, the networking configuration relies on fixed network definitions and isn't very flexible. For enterprises, making sure networks that support virtual machines are adequately provisioned takes time – days or even weeks.. This limitation negates the benefits of fast, automated VM migrations. And this process is certainly not compatible with the speed of deployment that is common with containers and micro services.
Innovations increase the burden
Two of the hottest IT topics right now are containers and microservices; these technologies are at the heart of making the infrastructure even faster to provision and reducing friction for development teams. Docker has popularized the idea that applications and services can be packaged as containers. The containers are then portable and can be grouped together in whatever configuration is needed. All of this is done programmatically via schedulers or orchestration platforms like Mesosphere or Kubernetes.
So while this innovation is great, it's just adding to the burden on the network to be flexible enough to handle this change in consumption and demand. Each microservice needs to communicate with other microservices, so how do we deliver the right network configuration that provides isolation, security, and L4–7 services?
Enter network policy abstraction
Policy-based networking is a way to address the need for on-demand network configuration of any virtual or containerized workload. Many of the principles behind this are borrowed from the mobile and broadband markets where large numbers of endpoints need to be configured quickly and are prone to come and go from the network.
The idea behind abstraction is to manage the complexity by removing the details from certain users to make a task achievable and repeatable. In most cases, layers of abstraction are used to expose the right tools to the right user. For example, developers want as many infrastructure abstractions as possible. They know the application and simply want to connect a tier or a service to the next one and so on. They should be able to select services like load-balancing as a part of this layout.
A network policy can include abstractions that define isolation, addressing, security policies, load-balancing, and permissions. Policies can be predefined as a part of a compliance process or created on-the-fly. Either method can be used in a programmatic way to build networks quickly. The use of abstractions gets away from everyone having to know the exact details of the location where an application will be deployed by handling this complexity in the background.
By providing easy-to-consume abstractions for more complex network functions, enterprise IT can realize these benefits:
- Speed. Networks are created on-demand for virtual/containerized workloads.
- Fewer errors. Network configuration is derived from a policy template that is auditable (subject to revision control).
- Mobility. Network configuration is portable and not tied a particular location
With a policy-based approach, we can make networking simple and fast to consume in a programmatic fashion that enables enterprises to remove one of the major hassles in deploying a private or hybrid cloud.