Distributed Services Platform - An Introduction
- 1.1 The Need for a Distributed Services Platform
- 1.2 The Precious CPU Cycles
- 1.3 The Case for Domain-Specific Hardware
- 1.4 Using Appliances
- 1.5 Attempts at Defining a Distributed Services Platform
- 1.6 Requirements for a Distributed Services Platform
- 1.7 Summary
Introduces the need for a Distributed Services Platform in your cloud infrastructure that offers superior security, cloudlike scale, hardware performance, and low latency and yet be software programmable.
Save 35% off the list price* of the related book or multi-format eBook (EPUB + MOBI + PDF) with discount code ARTICLE.
* See informit.com/terms
In the last ten years, we have observed an increasingly rapid transition from monolithic servers to virtualization. Initially, this happened inside enterprise networks, creating the need for virtual networking, but it has quickly evolved into modern cloud architectures that add the dimension of multitenancy and, with multitenancy, increased demand for security. Each user requires network services, including firewalls, load balancers, virtual private networks (VPNs), microsegmentation, encryption, and storage, and needs to be protected from other users.
This trend is very evident in cloud providers, but even larger enterprises are structuring their networks as private clouds and need to secure network users from each other.
Software-based services are often the solution. The server CPU implements a Distributed Services Architecture in software. A virtual machine or a container comprises the software that implements the service architecture. All network traffic goes through this software and, after the appropriate processing, packets are delivered to their final destinations (other virtual machines or containers). Similar processing happens on the reverse path.
A pure software solution is limited in performance, and it has high latency and jitter. Moreover, it is very problematic in bare-metal environments where the entire server is dedicated to a user or an application, and there is no place to run the services architecture.
A distributed services platform is a set of components unified by a management control plane that implements standard network services, such as stateful firewall, load balancing, encryption, and overlay networks, in a distributed, highly scalable way with high performance, low latency, and low jitter. It has no inherent bottleneck and offers high availability. Each component should be able to implement and chain together as many services as possible, avoiding unnecessary forwarding of packets between different boxes that perform different functions. The management control plane provides role-based access to various functions and is itself implemented as a distributed software application.
We offer a new term, distributed services node (DSN), to describe the entity running various network and security services. A DSN can be integrated into existing network components such as NICs (network interface cards), switches, routers, and appliances. The architecture also allows for a software implementation of the DSN, even though only hardware is capable of providing the security and performance needed by today’s networks.
Keeping DSNs closer to applications provides better security; however, DSNs should be ideally implemented at a layer that is immune to application, operating system, or hypervisor compromise.
Having multiple DSNs, as distributed as possible, increases scalability dramatically and effectively removes bottlenecks.
This architecture is practical only in the presence of a management system capable of distributing and monitoring service policies to all DSNs.
Figure 1-1 provides a graphical representation of a distributed services platform.
FIGURE 1-1 A Distributed Services Platform
1.1 The Need for a Distributed Services Platform
A real distributed services platform should solve not only performance issues but should also provide:
A consistent services layer common to bare-metal servers, virtual machines, and containers
Pervasive security without any entitlements within the perimeter; that is, decouple security from network access
A security solution that is immune to compromised OSes or hypervisors
Services orchestration and chaining to simplify management while enabling the delivery of different combinations of services
Better utilization of resources, higher performance, lower latency, and latency isolation
Tools capable of troubleshooting the network flows going through multiple services
Built-in telemetry for edge-to-edge network troubleshooting, rather than debugging individual systems, applications and segments, to give the infrastructure the ability to proactively report potential issues and offending actors
A comprehensive set of infrastructure services that are easy to manage and that can be used together, including features such as microsegmentation, load balancing, a firewall, encryption service, storage virtualization, and infrastructure services such as RDMA and TCP/TLS proxy
Programmability in the management, control, and data planes so that software-defined features can be rolled out without requiring hardware swapout or extended hardware development and release cycles