As enterprises transition from traditional dedicated server deployments to virtualized environments that leverage
public cloud, private cloud and hybrid cloud services, the cloud computing networks they are building must provide security and segregation of sensitive data and applications. Network architects may find a solution in building a multi-tenant network.
Multi-tenant networks, in a nutshell, are data center networks that are broken up and logically divided into smaller, isolated networks. Like tenants in an apartment complex, multi-tenant networks... share the physical networking gear but operate on their own network without any visibility into the other logical networks. While the capability to separate networks into logical units has been available for some time through the use of VLANs, virtualized data centers and cloud computing concepts have brought multi-tenancy back to the attention of network administrators.
Whether defined by the business processes of the organization or federal regulatory requirements, the need to isolate and control parts of the network does not change when moving to the cloud. Taking the multi-tenant network approach that public cloud providers use can ensure that local data is secure and may even help evolve the IT organization into one focused on services and offerings, rather than simply bits and bytes.
The need for a multi-tenant network
The need for isolation within public cloud offerings is clear: Customers pay for the amount of bandwidth and capacity they receive and trust that the vendor will not expose their information to any other customer. The first cloud computing applications were delivered as software as a service (SaaS) and segregated user data programmatically by user accounts or separate databases. However, as cloud-based solutions have moved up the stack to include both platform as a service (PaaS) and now infrastructure as a service (IaaS) , segregation is required not only in data sets but on network components themselves.
The role of multi-tenant networks in the private cloud is not as obvious but is equally important. Enterprises often have specific regulatory or business requirements, such as HIPAA or PCI compliance, which demand that a given application or service be isolated. Along with the security aspects of multi-tenancy networks, breaking the data center network by application and service could be the springboard to evolve the IT organization from an operations mode into essentially an internal vendor, providing applications and services to business units in much the same vein as public cloud service providers. As with service providers, building a private cloud infrastructure would enable enterprise applications to be delivered to business units as a service, with clearly defined service-level agreements and bill-back procedures. Multi-tenant networks support this effort by allowing specific quality of service and security policies to be set for each "customer" of IT services.
Multi-tenant network strategies
There are a couple of common approaches to isolating network traffic. Arguably the simplest is to isolate the application servers on their own physical network. While this approach may have worked for single applications on dedicated servers, in the age of server virtualization and public or private cloud computing, limiting access based on physical ports is no longer practical.
Another approach is to define virtual switches (vSwitches) such as Cisco's Nexus 1000v or the open source Open vSwitch for each application. As with physical switches, vSwitches can put all relevant virtual machines together on one logical switch. The advantage of this approach is that like the virtual machines themselves, vSwitches could move within the cloud environment. The downside, however, is the impact on performance that a virtual switch has compared with a physical switch that runs on dedicated hardware. The vSwitch operates and runs in the same virtual environment as the virtual application servers, so instead of the servers pushing packets to a dedicated piece of networking hardware, packets go through to another virtual machine instance, requiring additional processing and overhead on the host server.
A third option is configuring virtual local area networks (VLANs) and creating separate networks for each of the applications in the cloud deployment. By defining VLANs on physical switches or enabling 802.1Q VLAN tagging on virtual switches, the network administrator can isolate traffic between any mix of physical and virtual machines. The only limiting factor on the VLANs is the maximum number of configurable VLANs available on either the physical switches or virtual switches within the data center. Largely dependent on the networking gear used in the data center, this number is usually fairly large, with thousands available, but as the needs of both private cloud services and other network services such as wireless LANs and UC solutions continue to grow, VLAN management could become a significant task.
Depending on the data center environment, any of these methods or a mix of them will achieve the stated goal of creating a multi-tenant network to support private cloud deployments. The network is ultimately still just pushing packets, however, with very little context for the applications and data that is passing through. The rise of cloud computing concepts and the issues with multi-tenancy only serve to dispel the notion held by many that data center network switches only have to enable "big, dumb pipes," providing high performance and bandwidth without concern for the traffic itself. As data centers become more focused on applications and service, the network switches and gear that reside within those data centers must become focused on more than pushing packets around. Lori MacVittie, senior technical marketing manager, social media lead, for F5 Networks, sums it up this way:
"In order to truly support multi-tenant private clouds, much of the network infrastructure will have to become very application aware. Each application deployed has its network performance and security requirements, putting the onus on the network to interoperate with those policies."
For the network to be application aware, it must rely on knowing where a particular packet is coming from and going to, and it must understand the characteristics and requirements of the application that is pushing that packet. The application would ultimately dictate the latency and bandwidth requirements, for example, and an application-aware network could then dynamically adjust itself to meet those demands. In an application-aware network, the private cloud and all of the applications would become the tenants on the network, receiving the appropriate isolation and security based on each application's specific requirements.
Networking vendors of all stripes are attempting to stake a claim in the private cloud space. Application delivery network vendors, citing their breadth and depth of knowledge of how applications work, are offering virtual appliances and enabling their services, such as load balancing, compression and security. Network switch vendors are making their gear more application aware and looking into solutions such as building virtual switches within their physical switch gear. Even VMware is planning to announce a virtual chassis -- or a dedicated hypervisor for networking services -- enabling any number of traditional networking appliances to be migrated into the vSphere platform. The result of all of these efforts is likely to be a data center network that will be agile enough to support a mix of private and public cloud services, with the performance and security requirements that each application demands.