Tips for migrating applications to software-defined networks
- Published: Friday, 18 December 2015 09:27
One of the advantages of software-defined networks is reduced downtime. In this article Professor Avishai Wool offers advice to organizations on how they should approach migrating business applications to SDN environments.
Software-defined networking (SDN) is one of the hottest trends in security and networking. Many enterprises are considering moving to virtualized networks such as VMware NSX as part of an overall shift from relatively inflexible hardware-based architectures to nimbler, faster, more scalable virtualized deployments. For most companies, the question is increasingly becoming how and when, rather than if they adopt a more software-centric networking model.
SDN offers several potential benefits to organizations, including cost reduction, centralized management, quicker application deployment, scalability and reduced downtime. Security is also a key benefit, as SDN allows you to more easily define internal network segments and then filter East-West traffic. However, migration to SDN can seem daunting for CIOs given the resources and money they have already spent on their current infrastructure. Whether they’re using SDN to supplement or replace their traditional network, they want to be confident that the benefits of the new technology will justify the resources and risks involved in the deployment.
Any migration requires careful planning and management, so here are a few tips to help ensure you transition your business applications smoothly to SDN.
Setting your objectives
Before beginning the migration process, organizations need to think about their reasons for choosing to go the SDN route and what they want to get out of it. Different organizations will have different reasons and goals for migrating their applications to SDN and will apply the concept in different ways. They may be looking to centralize their network management, improve security or simply reduce costs. The objectives of the deployment will determine the technical process, so successful planning, identification of goals, and analysis of how the migration could impact business continuity, are crucial to the success of a migration.
Discovering application connectivity
A crucial aspect of this pre-migration planning phase is discovering and mapping the connectivity flows of your business applications. This process is imperative because you need to know the existing flows in order to make the necessary changes to them when you migrate to SDN. Unfortunately, the complexity of modern networks makes this a very challenging task. Disciplined organizations that maintain accurate, up-to-date, machine-readable records of the traffic flows that support each business application can quickly start the migration process by importing their documentation. More often than not, the application discovery stage will combine all available data sources: importing data from CMDB or home-grown repositories, machine-assisted discovery from traditional firewall policies, and intelligent traffic-based application connectivity flow discovery.
The migration process
Once you have planned your migration process and successfully discovered the traffic flows for the applications you wish to migrate, you are ready to move them to a software-defined network. However, this is not something you can do overnight. The work involved in application migrations can vary depending on the size and complexity of the network, and on what the organization is looking to get out of the project, so it is advisable to take a gradual, step-by-step approach. You will not be able to migrate all your applications at once, so be prepared for a stepwise, ongoing migration process. This will usually include the following stages:
- Allocating IP addresses and assigning the server workloads onto the new addresses;
- Reconfiguring the application software to use the new IP addresses;
- Writing new policies to allow the application’s discovered traffic;
- Deploying and validating the policy;
- Testing the application’s functionality;
- Moving the application to production;
- Decommissioning the legacy version of the application connectivity.
Managing the network
Once you have completed the migration of your applications to the software-defined network, your IT department should be prepared for ongoing security policy management. They will need access to change tracking and audit, risk and compliance reporting, as well as be able to modify the new network policies in accordance with changes to business applications. The best way to manage this is with a holistic, automated change-request system that supports both the software-defined network firewalls and security controls, as well as the traditional firewall estate. Migrating to SDN is also a good opportunity to reduce clutter and improve your policy efficiency. You should only convert actively used rules to the new network – in fact, a good migration solution will automatically flag redundant firewall rules for you.
Overall, a SDN migration project will require a strong, repeatable process to ensure success. Don’t believe any vendor that promises a ‘silver bullet’ solution that automatically converts everything for you at a click of a button. And while automation is crucial for the success of the project, there is no way around the fact that you will still need to discover, model, migrate, and test business applications in digestible chunks. However, with proper planning, testing and management, organizations can quickly and smoothly migrate their applications, and reap the performance scalability benefits of software-defined networking.
Professor Avishai Wool, CTO of AlgoSec.