Enterprises and organizations of all sizes and types are in the throes of several networking revolutions, and network virtualization is central to all of them.
The increasing prevalence of ransomware and other laterally propagating malware has organizations rethinking network security, including in the data center. This growth helps motivate a rising interest in zero-trust architectures. And the continuing rise of DevOps and all its ad nauseam descendants — i.e., NetOps, DevSecOps, SecDevOps and DevNetSecOps — is bringing the idea of infrastructure as code (IaC) to the forefront.
So, how do these initiatives fit in with network virtualization?
Virtual networking in the data center isn’t new
Virtual networks are an evergreen concept, rediscovered or recreated regularly. Essentially, a virtual network system enables IT to overlay multiple logical networks on a shared physical network. IT teams might implement virtual networks to segregate subsets of endpoints for security reasons or to serve the needs of specific protocols or applications.
Technologies for virtualizing networks go back to the 1980s, at least, and include Ethernet virtual LANs (VLANs) and MPLS.
The typical data center is swimming in virtual networks. VLANs have been a standard feature of data center network designs for decades. Server virtualization has also become commonplace, used to create new virtualization layers within and among host servers.
SDN: Yep, you’re doing that
Software-defined networking (SDN) is predicated on the idea that the network controller and the network data plane — the part that actually moves packets around — should be separate from each other, enabling centralized control of distributed network behavior.
SDN isn’t the same as simply managing network switch configurations centrally, as it presumes that the autonomy of data plane devices is limited rather than managed in harmony. Baked into SDN is the idea that any network can support myriad overlays and should be able to flexibly and dynamically control how ports are mapped to virtual networks and which services are delivered over them.
Initially, SDN was conceived as an open source strategy for getting more enterprise control over the network, both in the data center and on the LAN. The goal was to wrest control of network architectures out of the tight grip of network vendors by making them independent of any one vendor’s architecture and feature set.
The open and cross-platform strategies spawned myriad implementations — Open vSwitch, OpenDaylight, Open Network Operating System and others — and made enough headway to pressure vendors into bringing the basic control plane-data plane model into common use. These strategies also inspired startups to embrace the model.
The first place that organizations embraced SDN, though, was not in the data center, but in the WAN. Since around 2015, software-defined WAN has infused enterprise WAN strategies with SDN concepts.
IaC: More ways and means to virtualize
The overlay concept has now plunged a layer deeper into the infrastructure, as the spread of software containers, like Docker, created yet another layer of networking for intercontainer communications. The connected rise of DevOps brought the idea of IaC to prominence.
The idea of IaC is that teams deploying software entities to control virtual networks among containers and VMs should manage them the same way they manage other code artifacts in the environment. This brings forward a layer of virtual networks that is on the same temporary time scale as the containers they serve. It also results in new tools and concepts, like service mesh, for managing this virtualization.
Zero trust: An end state for virtualization
In a true zero-trust environment, only sanctioned communications take place across the network. Any given application, user or endpoint can communicate only with those other applications, users and endpoints for which it has been given permission in advance. So, unless the environment has been told that a specific conversation is allowed, the conversation is prevented.
At the network level, zero trust can be translated to a concept known as a software-defined perimeter (SDP). With SDP, if endpoint A sends packets to endpoint B but B hasn’t been told to accept packets from A, B ignores or drops those packets. For node A, node B is not visible on the network. If B and A are allowed to communicate, they do so via an encrypted tunnel. In this scenario, every communication takes place across a point-to-point virtual network, a two-node VLAN.
Moving forward with virtual networking in the data center
The path forward for virtual networks in the data center lies in the transition from manually managed VLANs to policy-driven virtualization. This transition will occur via cross-platform SDN controllers and automation tools — though likely from a vendor and not open source — service meshes and IaC. The needs of zero trust, the shift to containers and microservices, and the ever-tightening time constraints on network engineers will make this shift a necessity.