Network Evolution

Building the infrastructure for the changing face of IT

denisovd - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Layer 4-7 network orchestration: Are we there yet?

Software-defined data centers and cloud are driving a need for Layer 4-7 network orchestration tools that can automate provisioning and lifecycle management.

Networks have developed a middle-child syndrome over the years.

Ever since the first server virtualization platforms allowed systems administrators to easily spin up or decommission virtual machines (VMs) within minutes, the data center solidified its place as the golden child, representing agility and efficiency in infrastructure. It paved the way for cloud computing, putting more pressure on IT to be responsive to dynamic environments.

While virtualization soon seeped into other parts of IT like storage and desktops, the network was largely ignored. Although Layer 4-7 appliance vendors released virtualized versions of their products -- virtual firewalls, virtual load balancers, virtual WAN optimization controllers and so forth -- their primary focus was on reducing expenses, not improving agility. Networking as a whole remained frozen in hardware governed by static architectures, and most attempts to innovate focused on moving bits faster.

Software-defined networking (SDN) and network virtualization finally caught up, however, adding more flexibility and programmability to switching and routing. Now enterprises and service providers steeped in cloud and software-defined data centers are eager to see these platforms climb up the stack to tie in Layer 4-7. They're hungry for orchestration tools that can automate the deployment and management of those services with minimal human intervention.

"It's becoming close to table stakes," says Rick Drescher, managing director of technical services at Savills Studley, a commercial real estate advisory firm in New York that helps businesses lease data center space. "For companies that are really leveraging a software-defined data center, that level of orchestration on firewalls, virtual switches, virtual routers and virtual load balancers is becoming something that they absolutely have to have."

There's just one problem: The commercial products and open-source alternatives available today just scratch the surface in terms of bringing these capabilities to life.

"These cloud orchestration platforms are really good at taking Layer 4-7 services templates and applying them to virtual appliances to spin things up quickly," says Shamus McGillicuddy, a senior analyst at Enterprise Management Associates (EMA). "But they're not necessarily doing everything else you need to do in order to manage them, troubleshoot them, monitor them, make sure that each instance of your Layer 4-7 service is configured properly and so on."

A recent EMA survey asking IT pros about their greatest barriers to software-defined data centers found that "troubleshooting and monitoring across physical and virtual networking" was the third-biggest perceived challenge, while "integrating provisioning across physical and virtual networking" ranked fourth. Those are two areas where sophisticated orchestration tools can help out, McGillicuddy says.

Meanwhile, Cisco's recent acquisition of Embrane, which had been the most visible independent vendor in this space, signals that incumbent vendors are recognizing the importance of these capabilities.

"People aren't even necessarily aware of whether or not they need this. They're going to need it, but they don't know that yet," McGillicuddy says.

What does Layer 4-7 orchestration entail?

Like a conductor cueing the violins to come in a few beats after the trumpets, orchestration platforms automate and coordinate the steps necessary to provision, configure and manage IT services.

Orchestration has traditionally been associated with cloud servers. But in the world of Layer 4-7 services, the idea is that anytime a server admin does anything to an application -- launches it on a new VM, decommissions that VM, or moves the VM to a different server rack or another data center entirely -- an orchestration platform would dutifully follow up with all the necessary configuration changes in virtual appliances associated with it. Ideally, it would also integrate all of those appliances' management platforms to perform other housekeeping tasks like tracking licenses, monitoring availability and initiating troubleshooting.

Automated provisioning and lifecycle management may not sound especially revolutionary -- until you consider just how dynamic the modern data center is.

"In the world of private cloud, where everything is theoretically and serially moving around, you don't have these 4-to-7 appliances sitting in one spot anymore," says Andre Kindness, a principal analyst at Forrester Research.

Enterprise environments are getting more complex as they either become unwieldy or because a company is "growing like crazy with acquisitions," says Savills Studley's Drescher. He recently worked with a client that makes one acquisition per quarter, on average; almost 30% of its change-control processes are a direct result of those acquisitions. Orchestration tools would minimize some of the burden and risks that accompany these otherwise manual processes in highly virtualized environments.  

"The amount of human error that's going to be introduced into a system like this continues to grow as the system gets more complicated," Drescher says. "So the more you can automate things like switching VLANs around or updating firewall changes dynamically, the more you're going to get out of your IT infrastructure and the less prone you're going to be to downtime."

And while much of the focus on Layer 4-7 orchestration has been around data centers, Kindness says, the wide area network (WAN) may stand to benefit the most. The move away from hub-and-spoke designs -- with fewer branch offices now reaching out to the data center for all network services -- has created a need for distributed enterprises to simplify the way Layer 4-7 services are now deployed.

"Instead of doing something like you see with airlines -- where you fly from one city to a hub and then you're forced to get on another flight -- what we're moving to [on the WAN] is much more like a freeway system where you get to choose from multiple paths," Kindness says. "But since you don't have one spot [acting as] your control center, your Layer 4 to Layer 7 services that were typically in the data center need to be dispersed everywhere."

It's an exciting prospect for Markus Voegele, a senior system and design engineer at Lufthansa Systems, a managed service provider and wholly owned subsidiary within Lufthansa Group that serves the German company's flagship airline along with more than 300 other airline customers.

I do not often say the word 'awesome,' but if this turns out to work as designed by Cisco, this will be awesome.
Markus VoegeleLufthansa Systems

Employees at one of Lufthansa's larger offices on Long Island, N.Y., have a video conference twice a month with their colleagues in Frankfurt. In a traditional network architecture, any policies and appliances used to optimize that traffic would have to be static -- meaning, once a policy is set, it's always on -- or would have to be manually reconfigured by Voegele and his team in Kelsterbach, Germany.

Hoping for a more efficient approach, Voegele is testing Cisco's Application Policy Infrastructure Controller Enterprise Module (APIC EM), which functions as a centralized controller for provisioning, configuring, monitoring and managing application-level network policies in Cisco's Application Centric Infrastructure (ACI) fabric. In addition to supporting Cisco's built-in Intelligent WAN and network monitoring applications, the controller also integrates with Citrix's NetScaler load balancer.

Voegele would like to use APIC to provide the local IT administrator in the Long Island office with on-demand, but limited, control over the network connection during video conferencing sessions to optimize traffic.

"I do not often say the word ‘awesome,' but if this turns out to work as designed by Cisco, this will be awesome," he says.

Other drivers: Clouds and consumers

The need to orchestrate Layer 4-7 services is becoming increasingly vital for enterprises that rely heavily on the cloud. That's because many are eager to take advantage of the ongoing price wars among cloud providers and migrate their workloads to the lowest bidder, Drescher says.

Additionally, factors like the cost of electricity can drive a private cloud migration. The Pacific Northwest is home to a lot of renewable energy, with rates as low as 3 cents per kilowatt-hour, Drescher explains. Compare that to New York City, where 17 cents per kilowatt-hour is considered a good deal, he says.

"If you only need your data center to be near your users [in New York] during the peak of the day -- because that's when latency matters -- and if you can shift it over to someplace cheaper at night, that could save a customer a few hundred thousand dollars on electricity bills over the course of the year," Drescher says. "Orchestration is super important to make sure that works … [because] the complexity of doing it manually is not something that many places have the appetite for."

The push for more dynamic, automated networks is also driven by the consumer market as companies try to react to customer demands in real time, Kindness says. Global supermarket chain Tesco has hyper-personalized the experience at some gas stations the company operates. While customers fill their tanks, a small device uses facial recognition software to deduce their age and gender; a nearby monitor then plays specific advertisements for that demographic, Kindness says.

Similarly, a retailer in Asia uses sensors to identify clothing items customers bring into a dressing room and then adjusts the music played while they try on the clothes, he says. Preppy clothes, for example, may trigger pop music while hip-hop fashion may initiate rap music.

These specific companies aren't using SDN or network virtualization, but they're "looking to do something because the current resources are strapped," Kindness says.

"Businesses are pushing services and responsibilities closer to the customer. As such, networking's Layer 4 through 7 services are getting dispersed in either an appliance, software or service form at the remote location," he adds. "Everything isn't being done at the same time, so the business needs SDN to spin up and down services and find the best resources based on what's occurring at the remote site."

Figuring out the best approach

Like much of SDN and network virtualization, vendors' approaches to Layer 4-7 orchestration are splintered.

At this point, the predominant model revolves around Cisco and VMware -- with their ACI and NSX architectures, respectively -- and the ecosystems they have built up with various Layer 4-7 vendors.

Last August, VMware announced a partnership with F5 that provides integration between NSX and F5's BIG-IQ orchestration platform. This followed a partnership VMware had struck with Palo Alto Networks in late 2013 that enabled NSX users to automatically provision Palo Alto's virtual firewalls in overlay networks.

Because services are mapped to a VM -- an identity -- and not to a physical location like an IP address, NSX can be configured to ensure any VMware-based or supported third-party services automatically queue up, turn off or move around according to real-time network conditions, says Chris King, vice president of product marketing at VMware.

"Wherever the infrastructure decides to put my workload, all the correct Layer 4-7 services follow it," King says.

Prior to Cisco's recent acquisition of Embrane, the two vendors entered a partnership in 2014 when Cisco added Embrane to its ACI ecosystem. It was a turning point for Embrane, which pivoted its strategy from providing a platform that orchestrated its own brand of Layer 4-7 services to facilitating Layer 4-7 orchestration and lifecycle management for third-party services like Citrix's NetScaler.

Some Layer 4-7 appliance vendors have tried to stake their own claim in this market. Last May, load-balancing vendor Kemp Technologies enabled administrators to insert Layer 4-7 services from any vendor through a single platform on a bare-metal server. Meanwhile, startups like Avi Networks, which came out of stealth mode last December, announced a controller that provisions, orchestrates and manages Layer 4-7 services.

In the world of open source, OpenStack's networking project Neutron has been working on APIs for load-balancing-as-a-service and firewall-as-a-service extensions.

Experts say enterprises will most likely align their orchestration plans with their main network virtualization vendor and their affiliated ecosystems, making it a Cisco-versus-VMware game. But industry watchers are skeptical of how successful the partnership model will be.

"That's a lot of wrangling that needs to go on there -- it's politics and money," Kindness says. "I'm not a big fan of partnerships because what happens after a while is that everybody tries to cater to everybody. It becomes a very complex, one-inch deep and mile-wide solution that doesn't work very well."

EMA's McGillicuddy also sees room for improvement. The current integrations focus on turning Layer 4-7 services on and off, but they glaze over everything in between, he says.

"That is just a service insertion point -- that is not a lifecycle management solution," McGillicuddy says.

Article 2 of 5

Next Steps

Network orchestration and virtualization: What's the big deal?

What's the difference between network orchestration and SDN control?

OpenStack networking and orchestration: A look at what's possible

This was last published in May 2015

Dig Deeper on Network Infrastructure

Get More Network Evolution

Access to all of our back issues View All