NETWORKING

  • 01/15/2015
    8:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

Community Cloud Uses NSX To Streamline Security, Cut Costs

IlliniCloud consolidates security operations and reduces networking complexity with VMware's network virtualization platform, no 'architectural duct tape' needed.

As a nonprofit consortium providing cloud-based IT resources to school districts, IlliniCloud lives on the cutting edge. Using the latest technology helps the Illinois-based community cloud provider maintain its focus on providing state-of-the-art computing services, while allowing cash-strapped schools to concentrate on their core business of educating kids.

"We're always on the bleeding edge of everything, not because we want to be, but anytime we can drive down costs, it's a win for schools," Jason Radford, head of IlliniCloud architecture and operations, said in an interview.

IlliniCloud was launched about five years ago as a cooperative for Illinois school districts that allowed them to share computing resources much more cost effectively than setting up the IT infrastructure themselves. It has three data centers and has grown to provide virtual servers, storage and networking resources to a broad range of nonprofits and local governments across seven states.

As IlliniCloud grew, its operators found that networking was one area that it wasn't able to reduce costs. "It seems to be getting more expensive, not less. It was one of the anti-Moore's Law trajectories we were seeing. We had to do something to stay sustainable," Radford said.

SDN options
First, they replaced Cisco Nexus 7K/5K/2K/IK switches with the Arista 7150 platform, essentially shifting from a traditional chassis-based approach to more of a leaf-spine configuration. Radford said the move cut costs and lowered latency. They also investigated software-defined networking, including OpenFlow technologies and white-box switches from a variety of vendors.

"We knew what our pain points were in a traditional physical world and tried to see how this SDN, commodity world would fix or address some of the issues that we had," he said.

They didn't find anything that justified making the leap, and they didn't have the resources to implement white-box switches. But when VMware came out with its NSX network virtualization platform in 2013, they jumped in by doing some test cases and labs. Now, NSX is in production at IlliniCloud, which is 95% virtualized.

"We're driving all that network virtualization and automation with VXLAN either baked into the NSX product or integrated into Arista," Radford said. "It bridges our physical and virtual worlds seamlessly. We don't have to do what I call 'architectural duct tape.'"

Security consolidation
Security and protecting students' data, naturally, is critical for IlliniCloud, but the cost of network security was spiraling. NSX allowed IlliniCloud to reduce security costs and complexity by consolidating security functions, Radford said. The organization is pulling out its physical firewalls as well as load balancers and using NSX to provide that functionality in addition to VPN services.

The micro-segmentation provided by NSX helps IlliniCloud to separate different tenants "much easier than having two or three products, a bunch of architectural duct tape, APIs, and costly orchestration tools," Radford said. "Now we have a clean, visible network service composer for all our security visibility."

A lot of application vendors need temporary access to assets that in a physical world lead to inefficient traffic routing, he said.  NSX has allowed IlliniCloud to run "a simplified, easy-to-use, Layer 3 core," he said.

"If we did have more exotic needs, like tunneling Layer 2, we could do that through an industry standard VXLAN interface and not have to worry about cost or all the operational overhead."

NSX's integration with third-party vendors such as Palo Alto Networks also was a plus for IlliniCloud.

In addition, the platform has allowed IlliniCloud to streamline management. Radford said the organization avoids the silos that are common in enterprise environments. "We're able to have true ops teams that can address a problem no matter the specific area, whether it's storage, virtualization or networking," he said. "It kind of flattens the model to where we don't have real silos, so much as an IT operations team. That removes the need to have costly service contracts or specialists."

Radford estimates that after IlliniCloud has run NSX in production for a year and fully cuts over to the platform, it will reduce costs by at least 40%.

Challenges
Radford cited a couple issues in deploying NSX. First, for network pros, it can take some time to understand the architecture. "That's not a knock; it's a change in how you implement, design, and approach your problems in networking," he said. "It takes a while to sink in, but when it does, it's a definite light-bulb moment."

The other issue, which IlliniCloud operators knew ahead of time they'd have to deal with, was the need to change MTU settings to accommodate VXLAN, which required a little downtime during a maintenance window. "With VXLAN headers, you have to expand your default MTU settings to allow that additional information to come across."

In the future, there are a couple features IlliniCloud is looking forward to NSX providing. One is the ability to have policy enforcement plug into the NSX ecosystem in order to audit and validate the policies IlliniCloud implements through a service composer-like tool.

The other would be the ability to have global server load balancing (GSLB) with the functionality provided by F5's BIG-IP Global Traffic Manager (GTM). 


We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.