Introduction
The arrival of cloud services has changed the way that networks must be managed. Going forward, enterprises will need to connect to a number of different types of networks, both internal and external to an enterprise, including data centers, public cloud services, and edge networks that can connect to a wide variety of new cloud-based services, including security services such as Secure Access Service Edge (SASE). This requires a shift in network technology and thinking – not only is a more agile network required, but new technology will be required to ensure compliance and security in a world of multiple and hybrid cloud network connectivity.
The modern, software-driven approach to networks is helping to automate and smooth the demands of connecting multiple or hybrid clouds. This approach, commonly referred to as network virtualization and cloud networking, comes in the form of several categories of networking technologies such as software-defined networking (SDN), software-defined wide-area networking (SD-WAN), Network as a Service (NaaS), or Network Function Virtualization (NFV). A more important development, however, is the use of Application Programming Interfaces (APIs) to build programmable networks that can bridge the gap between the virtual and physical networks. Programmable networks are the key to customer success in managing hybrid, multi-cloud networks.
This requires a shift in network technology and thinking – not only is a more agile network required, but new technology will be required to ensure compliance and security in a world of multiple and hybrid cloud network connectivity.
We are still in the early innings of the virtualization and programmable networks – but once we get there, there are other considerations. Emerging NaaS technologies primarily address the management and orchestration of connectivity, but they don’t always take into consideration legacy environments. Programmable networks should not only deliver a modern, API-based approach to connecting clouds and networks, but they must also adapt to legacy technologies to support Command Line Interface (CLI) and networking configuration and change management (NCCM) tools, which are the most common tools in place for network compliance within the enterprise. With all this software and automation going on, how do you make sure things are done correctly – and adhere to operational and compliance protocols – if you can’t support legacy networks as well?
As automated multi-cloud networking technology is adopted, networks need supervision, which includes the following approaches:
Compliance
The capability to log and report what has changed in the past.
Validation
Capability to prevent compliance violations from entering the network in the future.
Managers need both these sets of tools to check that the networking is being configured and monitored correctly, according to best practices. They use these tools to gain visibility and trust and operationalize the network, particularly when networks are connecting with a wide range of vendor equipment and different types of networks (public cloud, private data center, etc.).
In this Futuriom Leadership Brief, we explain how Itential’s software-based network automation approach helps enable and operationalize cloud networking and build trust and compliance for networking in a multi-cloud world.
Requirements for Operationalizing Multi-Cloud Networking
With programmable networks and automation, it’s now possible to quickly reconfigure the connections to hundreds, if not thousands, of devices and applications. But managers may not be ready to jump into the world of programmable networks that connect the physical and virtual networks if they don’t have a way to apply governance to the network – which includes delivering compliance and validation tools to make sure that applications and network teams can modify the network within a prescribed set of guardrails.
There are additional challenges in this new world of cloud networking. It’s now possible to build networks using a variety of software and hardware components, including open source elements, network controllers, and multi-vendor software that can run on commercial off-the-shelf hardware. Mix this in with a legacy environment, and things get very complex very fast. We are in the early innings of a cloud networking revolution, but in order to take advantage of this innovation, enterprises will need to enable their teams to use cloud networking features with full operational support.
With programmable networks and automation, it’s now possible to quickly reconfigure the connections to hundreds, if not thousands, of devices and applications.
Networking in a Multi-Domain Network World
As domains such as public cloud, edge cloud, the telecommunications cloud, and hybrid data centers emerge to drive more automation in infrastructure, several barriers remain. Some of the barriers include money and training, but the major barrier is having trust in automation technologies.
To give an example of the expanding complexity in a multi-domain world, here are some of the networking domains and cloud platforms that are starting to merge:
Public Cloud Infrastructure as a Service (IaaS)
The major cloud players such as Amazon, Microsoft, and Google have cloud platforms that can be used for a wide variety of enterprise applications. They pioneered many of the technologies that are being used to build clouds these days, including APIs and Infrastructure as Code approach. These cloud platforms change rapidly, with different approaches to network abstraction. Other domains such as Telco Cloud and IoT are also trying to follow this model, developing their own cloud platforms and tools. Enterprises would like to operationalize multi-cloud and hybrid networks and provide compliance using consistent standards. In the future, enterprises will be more likely to use hybrid and multi-cloud networks if they can apply a consistent system for compliance and automation across hybrid, multi-cloud, and public cloud environments.
Telco, IoT, and Edge Cloud
Communications infrastructure and the Internet of Things (IoT) domains are becoming large drivers of digital transformation efforts by connecting, monitoring, and controlling devices ranging from traffic lights, automobiles, and sensors. At the same time, the imminent expansion of 5G infrastructure and its alignment with cloud architecture means that technology in the telecommunications industry is connecting more devices to cloud services. Because of the scale involved, automation of these connections is needed. Eventually the Telco Cloud is expected to have an overlapping architecture with public cloud services, driven by the same APIs and a scale-out model for infrastructure that can ordered on demand. This includes hosting communications services and infrastructure in public cloud services. Individual enterprises may not know the specifics of each telco cloud platform, but they want better ways to consume these services programmatically – and apply consistent standards for compliance.
Enterprise & Private Data Center
Many enterprises have been moving some of their applications or workloads from private datacenters to public cloud infrastructure or shared IaaS. Yet, this is a process that has only just begun. According to Gartner, less than 10% of IT spending is currently on cloud. The migration of these systems takes time, but the real world is more complex, and many applications workloads are likely to reside in a diverse number of clouds and platforms, including legacy enterprise infrastructure. Even if enterprises adopt some public cloud technologies, many will retain private datacenters. They will want to operate these private data centers with common cloud technologies that provide opportunities for integration with other cloud services. Public cloud platforms can drive complexity and lack visibility, so enterprises will need a way to consistently operationalize and provide compliance for hybrid and multi-cloud networks as they drive digital transformation efforts.
One of the new challenges in this changing world is that users (as well as connected devices or machines) have become more mobile and dynamic. The network infrastructure of today presents unique challenges with dispersed users and distributed applications in many different data center and network domains, which the network team will need to overcome.
The diagram below shows how different platforms and systems can be connected with a consistent approach that responds to dynamic changes across multiple domains. Using this approach, programmable network automation can help operationalize hybrid and multi-cloud environments.
A System to Operationalize Hybrid, Multi-Cloud Networks
In the cloud world, software development principles have evolved to build a system to develop, test, validate, and deploy new software projects.
As networking migrates to a cloud model and networking technology becomes more software-driven, a way to manage this process is necessary to operationalize cloud networking. The process of validating, testing, and executing network connections needs to mimic the cloud model of request-validate-execute.
By automating validation of network connections, cloud networking systems can be tamed. The key is using software to coordinate networking elements, including both CLIs and APIs, to enable programmability. APIs are the foundation of cloud automation, because they enable systems to be programmed and configured with software development, in an approach known as Infrastructure as Code. Proactive and reactive compliance methods apply to both CLI- and API-based infrastructures, and both methodologies will still be required going forward. In order to successfully manage the transition, teams must move to a proactive approach to validation that allows automation to be implemented with more confidence.
“All these modern systems have APIs and controllers but you still have to make sure the network is behaving correctly,”
– Chris Wade, Itential CTO
Just because automation is possible, it doesn’t mean everybody is ready to get on board. The challenge is building trust in the network. An example might be a self-driving car: Not everyone is ready to jump in until it has been thoroughly tested and trusted.
Providing visibility and insights into cloud networking and automation technologies.
Providing automated testing, validation, and configuration compliance practices.
Developing tools that help managers verify and test automation.
Maintaining visibility and control over changes in the network.
IT and network professionals, whether they be Chief Technology Officers, CIOs, network architects, or network managers, now realize that multi-cloud environments add complexity to the network. The arrival of flexible, API-driven software networking tools means it’s becoming easier than ever to connect devices and networks to the cloud. As the number of tools and types of networks increases complexity, it is more important than ever to build a cohesive approach to operations. The networks connecting data centers, devices, and users need to be monitored, validated, and tested to ensure the network is being managed correctly. In order to automate and connect these networks properly, network validation and compliance needs to become a standard part of the process in multi-cloud and hybrid network operations.
Enterprises in their digital transformation will be measured by how they take advantage of innovation and operationalize the latest technology. To do that, they need to build trust and compliance into the network. Whatever the flavor of the day it is, we need to run compliance across the network to give us confidence to automate it.
– Chris Wade, Itential CTO
Elements to Operationalize
Multi-cloud networking consists of connecting a large number of services, network elements, and software platforms. There are many things that can go wrong. For example, if a cloud service is moved from one IaaS platform to another, or from one virtual private circuit (VPC) to another, security features such as firewalls, micro-segmentation, and policy-base access may need to be moved as well.
Operationalizing the network means providing visibility and automation for the compliance of these network changes. Where did routing changes happen and how? Where do the security tools need to move to follow the network?
Here are some multi-cloud operational issues to consider:
- How do you monitor and insure the correct configuration of changing network groups, such as a particular Virtual Private Circuit on Amazon or a VNET on Azure?
- As routing schemes are changed, how to you protect against traffic blackholing?
- Network changes mean password changes. This requires automated practices for password rotations.
- How do network management systems integrate with automation platforms such as Terraform and Ansible?
- Where does the team go to validate all infrastructure configurations and changes to match security best-practices and compliance?
These are just a few examples, but it’s clear that with the expansion of multi-cloud and multi-domain network, needs for operationalization and compliance are going to increase. To date, much of the focus on cloud networking has been on orchestration and configuration. The next step is to build automated operations and compliance into the network at the same time.
A Software-First Approach to Compliance & Validation
The foundation of cloud networking is data models, APIs, and standards to abstract hardware interfaces. This enables software-based control. This Infrastructure as Code movement has yielded a wide range of tools and widely accepted methods to drive automation into infrastructure. Scripting tools such as Ansible, Chef, and Puppet help configure compute infrastructure. Terraform has come on the scene to become a de facto standard for automating the configuration of cloud infrastructure. On the networking side, software makes use of standard configuration technologies such as NETCONF/YANG, and OpenConfig to enable management by Infrastructure as Code. And individual cloud services have their own tools, such as Azure Resource Manager and AWS CloudFormation.
In the journey to operationalizing cloud networks, the good news is that the software-based building blocks are already there. Cloud virtualization has been built on a “code first” approach to configuration and automating infrastructure. But most of these efforts in the networking space so far have focused on network configuration and orchestration, but not validation and compliance. A software-first operational model is needed to deliver automated network management and compliance across both physical and cloud network services.
A software-first operational model is needed to deliver automated network management and compliance across both physical and cloud network services.
Automated Testing in Cloud Networks
The goal is to use software to automate and manage the whole system, rather than the legacy model of manual configuration of specific devices. But it’s not always that easy to make the leap to automation. You need a software system that can verify and check configurations automatically, so that you can believe in the system.
As Infrastructure as Code evolves, it will take on more of the characteristics of the cloud DevOps movement we discussed above. This delivers a consistent approach to validating and testing the environment. While many other forms of cloud infrastructure technology have this, the network is behind. Network managers need to be able to test, validate, and deploy changes to a wide range of networking systems at the same time.
Some of the testing that needs to happen:
- Are active changes to the network breaking things, or causing interdependencies to fail?
- Is there a configuration standard such as “golden config,” and do the cloud networking changes adhere to these standards?
- What is the implication in changes on security and access policies, such as firewall rules. For example, if a virtual cloud network changes, do firewalls and security policies need to follow the new network?
In the ideal situation, network automation will be accompanied by automated network testing and validation. This is what will deliver trust and compliance in the cloud networking world.
Itential’s Vision for Delivering Network Trust
Cloud networking needs will accelerate rapidly in the coming years, in order to connect the wide variety of cloud applications, services, and resources that are proliferating. As enterprises move to a multi-cloud and hybrid world, their networking systems will need to adapt to provide an automated operational model that can continually verify and test cloud networking. This will provide compliance and network validation in this environment.
Itential has been on the forefront of network automation, focused on helping network professionals connect and automate a wide variety of networking systems in multi-domain environments. The company also takes a cloud-native approach to networking, using APIs, low-code interface, and automation techniques to guide this evolution of cloud networking. Itential’s configuration management capabilities streamline network configuration and management by generating abstracted models of cloud networks and their operations, which link directly to network elements through controllers, artificial intelligence (AI), and APIs.
Itential is one of the few vendors delivering operational and compliance tools for the cloud networking environment.
The Itential Automation Platform is designed to deliver a complete compliance and automation suite to operationalize your network, whether that means connecting to legacy infrastructure or the cloud. The keys to this approach include:
Automated Compliance for Network & Cloud
The Itential Automation Platform delivers automated compliance to the network by ensuring reliance and operational consistency across both physical and cloud networks.
Flexible Golden Configuration Templates
By using the Itential Automation Platform, network managers can simplify configuration trees by using Golden Configuration templates to create flexible config branches applying to different devices on the network.
Integrations for Everything
Managers can automate the network ecosystem by using out-of-the-box integrations for hundreds of systems in IT System Management, DevOps, inventory, telemetry, and more.
Extensible Network Automation
Itential’s workflow orchestration canvas uses a low-code, drag-and-drop interface to help teams manage automation across the network.
Future State – Infrastructure as Code
Given the rapidly advancing scale and demands placed on networks by cloud systems and expanding device numbers, the only way for networks to keep up will be to implement the same kind of automation of testing, validation, and deployment used in cloud systems. Itential’s approach is to build on the success of cloud-native principles by applying a CI/CD (continuous integration/continuous delivery) process into network testing, validation, and deployment.
Futuriom believes that automated testing and validation of networking changes and configuration represent an important innovation that will enable cloud network automation to move forward more rapidly, giving managers the confidence in system compliance they need in this complex world. Although this process is evolutionary and will take time, networking automation software can be used to bridge the gap between CLI and cloud APIs to help ease the pain. Itential’s innovative tools represent a practical way for network architects and managers to manage this ongoing evolution to fully autonomous, cloud-based networking.
