What is Network Compliance for Cloud Networking?


By: R. Scott Raynovich

[Note: This Tech Primer is Sponsored by Itential and is a summary of material published in a recent white paper: Building Trust & Compliance for Hybrid, Multi-cloud Networking.]

The arrival of cloud services has changed the way that networks must be managed. Enterprises increasingly must connect to many different types of networks – data centers, public cloud services, and edge networks with secure access service edge (SASE) designs. To connect all this together, application programming interfaces (APIs) and other technologies create programmable networks that bridge the gap between virtual and physical network elements.

How can network managers ensure that networks are run correctly in this new world? The answer is - by implementing software-based network automation. These tools and platforms enable enterprises to maintain pre-defined security, reliability, and performance standards across multi-cloud networks while accurately tracking changes and creating audit trails. These functions comprise the core of network compliance. In this Futuriom Tech Primer, we will examine how this is achieved.

The Challenges of Multi-Cloud Networking

Multi-cloud networking consists of connecting multiple services, network elements, and software platforms, including the following:

Public cloud infrastructure-as-a-service (IaaS): The major cloud players, such as Amazon, Microsoft, and Google, have cloud platforms that can be used for a wide variety of enterprise applications. They pioneered many of the technologies that are being used to build clouds these days, including APIs and other data-modeling technologies that abstract hardware interfaces for cloud networking – also known as “infrastructure as code.” These public cloud platforms change rapidly, with different approaches to network abstraction.

Telco, IoT, and edge clouds: Communications infrastructure services and the Internet of Things (IoT) are driving digital transformation by connecting, monitoring, and controlling devices such as traffic lights, automobiles, and sensors. The expansion of carriers’ 5G infrastructure is adding to what’s being connected to cloud services. Eventually, the resulting “Telco Cloud” is expected to have an overlapping architecture with public cloud services, driven by the same APIs and a scale-out model for infrastructure that can be ordered on demand.

Enterprise and private data centers. Many enterprises have been moving some of their applications or workloads from private data centers to public cloud infrastructure or shared IaaS. Yet this is a process that has only just begun. The migration of these systems takes time, and many applications and workloads are likely to continue to reside in a diverse number of clouds and platforms, including legacy enterprise infrastructure.

There are additional challenges in this new world of cloud networking. It’s now possible to build networks using a variety of software and hardware components, including open-source elements, network controllers, and multi-vendor software that can run on commercial off-the-shelf hardware. Mix this in with a legacy environment and an increasingly dynamic, mobile, and distributed set of users, and things get very complex very fast.

Bottom line? We are in the early innings of a cloud networking revolution, but to take advantage of this innovation, enterprises will need to enable their teams with full operational support for cloud networks. The networks connecting data centers, devices, and users need to be monitored, validated, and tested to ensure the network is being managed correctly. To automate and connect these networks properly, network validation and compliance needs to become a standard part of the process in multi-cloud and hybrid network operations.

Software: The Foundation of Multi-Cloud Networks

To understand how operational support is applied to the management of multi-cloud networks, it’s important to understand how these networks function. A modern, software-driven approach to networking is helping to automate and smooth the demands of connecting multiple or hybrid clouds. New types of networking software and middleware will be needed to automate and connect many different types of cloud networking.

In the networking business, typical approaches to software-based networks include software-defined networking (SDN), software-defined wide-area networking (SD-WAN), network-as-a-service (NaaS), network functions virtualization (NFV), and APIs. There are many providers in this space and multi-vendor software-defined networks are at least as common as single-vendor networks. Adding to this complex landscape are legacy network devices which use proprietary command line interfaces (CLIs) for management. This evermore common topology complicates the management and enforcement of network standards.

Another issue is connecting to legacy networks which often use their own command line interfaces (CLIs). An API-based approach to automation for network compliance is particularly important because it allows for easy multi-vendor management, creating programmable networks that support the command line interfaces (CLIs) and network configuration and change management (NCCM) tools commonly used for network compliance within enterprise legacy networks.

Building Blocks of an Operational Approach

In the journey to operationalizing cloud networks, the good news is that the software-based building blocks are already there. The “infrastructure-as-code” movement has yielded a wide range of tools and widely accepted methods to drive automation into infrastructure. Scripting tools such as Ansible, Chef, and Puppet help configure compute infrastructure. Terraform has come on the scene to become a de facto standard for automating the configuration of cloud infrastructure. On the networking side, software makes use of standard configuration technologies such as NETCONF/YANG, and OpenConfig to enable management by infrastructure as code. And individual cloud services have their own tools, such as Azure Resource Manager and AWS CloudFormation.

Clearly, cloud virtualization has been built on a "code first" approach to configuration and automating infrastructure. But most of these efforts in the networking space so far have focused on network configuration and orchestration, not validation and compliance.

Why Multi-Cloud Networks Need Operational Solutions

There are many things that can go wrong in multi-cloud networks. For example, if a cloud service is moved from one IaaS platform to another, or from one virtual private circuit (VPC) to another, security features such as firewalls, micro-segmentation, and policy-based access may need to be moved as well.

Other questions arise in multi-cloud networking: Where did routing changes happen and how? How do network management systems integrate with automation platforms such as Terraform and Ansible? Where does the team go to validate all infrastructure configurations and changes to match security best practices and compliance?

These are just a few examples, but it’s clear that with the expansion of multi-cloud and multi-domain programmable networks, managers need a way to apply governance to the network,

which includes delivering network supervision in the form of the following two elements:

  • Compliance: The enforcement of pre-defined network standards coupled with auditable tracking and reporting.
  • Validation: The capability to prevent compliance violations from entering the network in the future.

Managers need both these sets of tools to check that the network is being configured and monitored correctly, according to best practices. They use these tools to gain visibility and trust and operationalize the network, particularly when networks are connecting untethered users with a wide range of vendor equipment operating across a complex set of domains (public cloud, private data center, etc.).

An Operationalizing “How To”

When it comes to operationalizing cloud network compliance and validation, a software-first model is needed to deliver automated network management and compliance across both physical and cloud network services.

The diagram below illustrates how users can be linked to different platforms and systems using a consistent, software-first approach that responds to dynamic changes across domains and could help operationalize hybrid and multi-cloud environments.

Source: Itential

The process of validating, testing, and executing network connections – operationalizing cloud networking – can be undertaken in a software-driven model that mimics the cloud model of request-validate-execute. Indeed, the only way for networks to keep up with the rapidly advancing scale and demands of cloud systems and expanding device numbers will be to implement the same kind of automation of testing, validation, and deployment used in cloud systems.

Futuriom believes that automated testing and validation of networking changes and configuration represent an important innovation that will enable cloud network automation to move forward more rapidly, giving managers the confidence in network compliance they need in this complex world. Although this process is evolutionary and will take time, networking automation software can be used to bridge the gap between CLI and cloud APIs to help ease the pain.

Building Trust Through Network Validation

Just because automation is possible doesn’t mean everybody is ready for it. The challenge is building trust in the network. The analogy might be a self-driving car – even if the technology is being developed, not everybody is ready to jump in until it has been thoroughly tested and trusted.

The way to build trust requires specific tools to manage network automation, ones that perform the following functions:

  • Provide visibility and insights into traditional and cloud networking as well as automation technologies
  • Provide automated testing, validation, and configuration compliance
  • Help managers verify and test automation
  • Maintain visibility and control over changes in the network

A Glimpse of the Future

As we’ve noted, the only way for networks to keep up with the rapidly advancing scale and demands of cloud systems and expanding device numbers will be to implement the same kind of software-driven automation of testing, validation, and deployment used in cloud systems.

Futuriom believes that automated testing and validation of networking changes and configuration represent an important innovation that will enable cloud network automation to move forward more rapidly, giving managers the confidence in system compliance they need in this complex world.

To learn more about Itental’s modern approach to network compliance, you check out the whitepaper here.