Migrating Applications to Software-Defined Networks
A practical guide to application migration into SDN environments
Occasionally, Enterprise Networking Planet is pleased to present the viewpoints of those working on the vendor side of the networking industry. Here, Professor Avishai Wool, CTO of AlgoSec, lays out a practical plan for migrating applications into an SDN environment.
Software-defined networking (SDN) is one of the hottest trends in security and networking. The benefits of the overall shift from relatively inflexible hardware-based architectures to nimbler, faster, more scalable virtualized deployments--including cost reduction, centralized management, quicker application deployment, scalability and reduced downtime--make the emerging software-centric model an attractive one. Security is also a key benefit, as SDN allows you to more easily define internal network segments and then filter East-West traffic. However, migration to SDN can seem daunting for CIOs given the resources and money they have already spent on their current infrastructure.
Any migration requires careful planning and management, so here are a few tips to help ensure you transition your business applications smoothly to SDN.
Set your SDN application migration objectives
Before beginning the migration process, consider what they want to get out of SDN. Different organizations will have different reasons and goals for migrating their applications to SDN and will apply the concept in different ways. They may be looking to centralize their network management, improve security or simply reduce costs. The objectives of the deployment will determine the technical process, so successful planning, identification of goals, and analysis of how the migration could impact business continuity, are crucial to the success of a migration.
Discover application connectivity
A crucial aspect of the planning phase is discovering and mapping the connectivity flows of your business applications. This process is imperative because you need to know the existing flows in order to make the necessary changes to them when you migrate to SDN. Unfortunately, the complexity of modern networks makes this a very challenging task. Disciplined organizations that maintain accurate, up-to-date, machine-readable records of the traffic flows that support each business application can quickly start the migration process by importing their documentation. More often than not, the application discovery stage will combine all available data sources: importing data from CMDB or home-grown repositories, machine-assisted discovery from traditional firewall policies, and intelligent traffic-based application connectivity flow discovery.
Migrating applications to a software-defined network
Once you have planned your migration process and successfully discovered the traffic flows for the applications you wish to migrate, you are ready to move them to a software-defined network. However, this is not something you can do overnight. You will not be able to migrate all your applications at once, so be prepared for a stepwise, ongoing migration process. This will usually include the following stages:
- Allocating IP addresses and assigning the server workloads onto the new addresses
- Reconfiguring the application software to use the new IP addresses
- Writing new policies to allow the application’s discovered traffic
- Deploying and validating the policy
- Testing the application’s functionality
- Moving the application to production
- Decommissioning the legacy version of the application connectivity
Managing application security in SDN
Once you have completed the migration of your applications to the software-defined network, your IT department should be prepared for ongoing security policy management. They will need access to change tracking and audit, risk and compliance reporting, as well as be able to modify the new network policies in accordance with changes to business applications. The best way to manage this is with a holistic, automated change-request system that supports both the software-defined network firewalls and security controls, as well as the traditional firewall estate. Migrating to SDN is also a good opportunity to reduce clutter and improve your policy efficiency. You should only convert actively used rules to the new network.In fact, a good migration solution will automatically flag redundant firewall rules for you.
Overall, a SDN migration project will require a strong, repeatable process to ensure success. Don’t believe any vendor that promises a "silver bullet" solution that automatically converts everything for you at a click of a button. While automation is crucial for the success of the project, there is no way around the fact that you will still need to discover, model, migrate, and test business applications in digestible chunks. However, with proper planning, testing and management, organizations can quickly and smoothly migrate their applications and reap the performance scalability benefits of software-defined networking.