Layer 4-7 network services remain a technical and operational headache for enterprises looking to adopt Infrastructure...
as a Service (IaaS). The inability to replicate Layer 4-7 services from private data centers into a public cloud environment has kept many enterprises from migrating applications that require complex load balancing, acceleration and security.
"I don't feel that sticking your servers out there and saying, 'OK, you've got cloud now,' is the way to go," said Tom Hollingsworth, a senior network engineer with United Systems, an Oklahoma City-based value-added reseller (VAR). "I want to replicate [in the cloud with] as much functionality [customers] have for load balancers, firewalls and things like that."
Layer 4-7 cloud networking services: Don't reinvent the wheel
Many IaaS providers sell Layer 4-7 cloud networking services (firewalls, load balancers, application accelerators) to customers, but these services tend to be monolithic, feature-limited and in some cases proprietary. An enterprise that has deployed a complex application internally and tuned to run on an F5 BIG-IP application delivery controller (ADC), for instance, will struggle to migrate that application to an IaaS provider that offers its customers a homegrown ADC, or a share of a managed ADC appliance from an F5 competitor like Radware or Citrix.
"From an end-user perspective, If I'm going to do some work on my data center and it looks a certain way, I would like it to look that way if my data center moves [into the cloud]," Hollingsworth said.
More on Layer 4-7 cloud networking services
Brocade improves cloud scalability and scripting for its ADCs
Virtual ADCs offer low cost and agility for cloud computing
Do you need virtual firewalls?
Amazon's limited firewall services
Hollingsworth described a hypothetical situation where an enterprise has a mail server that has been tuned to a specific in-house load balancer and then wants to move that mail server to an IaaS provider that offers fundamentally different load balancing capabilities. Attempting to recreate those Layer 4-7 services from a data center to the cloud is complex, time-consuming and difficult to manage once you've got it up and running.
Once a customer has to spend too much time trying to figure out features in the public cloud, "efficiencies in the cloud go into the toilet," he said.
With the growth of virtual ADCs and WAN optimization controllers, enterprises theoretically have the ability to mirror their Layer 4-7 services in a provider's cloud. However, IaaS providers aren't always willing to give that level of service to customers.
"In order to do it, [providers] have to replicate major vendor capabilities," said Eric Hanselman, research director for networks at the 451 Group. "They have to create services similar to a [Citrix] NetScaler or F5 in their environments, and for them that's just not scalable. Now there are providers like Rackspace from whom you can get F5 capabilities in a managed environment. That's a nice stepping stone, but you still have to keep an eye open for management integration [between the managed environment and the IaaS environment]."
Amazon EC2 adds Layer 4-7 cloud networking flexibility
Amazon Web Services recently increased the maximum number of IP addresses a customer can assign to each Elastic Compute Cloud (EC2) instance from two to 240 addresses. Amazon said this new feature will enable the construction of virtual Layer 4-7 network services.
Application delivery controllers in particular require multiple IP addresses to function. A single ADC, whether physical or virtual, will serve multiple applications, each requiring its own IP address. Without access to multiple IP addresses in an EC2 instance, enterprises cannot deploy a software-based Layer 4-7 appliance into Amazon's cloud.
"While enterprises have been able to move applications from their data centers into Amazon, they have not been able to move the networking services optimizing those applications into Amazon's infrastructure as well," said Greg Smith, senior director of product marketing for Citrix Systems Inc. "They've either had to leave them behind or use Amazon's native infrastructure to do it, and they have not been able to benefit from the optimizations living within their own infrastructure."
Citrix will use these changes to make its NetScaler ADCs available to customers who want to replicate the appliances from their private data centers to the EC2 cloud.
The feature will be essential for setting up multiple SSL instances in a virtual private cloud, which Hollingsworth believes will be an entry way for some cloud holdouts.
"What if I need to have an SSL certificate stood up for a mail server and a whole bunch of other things I want to move into the cloud?" he said. "If I'm limited in what my SSL capabilities are [in the cloud], I'm going to say, 'Too bad, I don't need the cloud.'"
Flexible Layer 4-7 cloud networking: Freedom, less complexity
Uniformity of layer 4-7 services between a private data center and an IaaS provider can reduce complexity and redundancy for an enterprise, according to Andre Kindness, senior analyst with Cambridge, Mass.-based Forrester Research Inc. If an enterprise uses one vendor for ADCs in its data center, but has to rely on a proprietary load balancing service from its IaaS provider, then its network engineers need to develop two parallel skill sets.
"You have people doing redundant activities and you have a proliferation of a variety of products that increases complexity. The management overhead gets deeper," Kindness said.
This situation naturally leads to service provider lock-in. Many enterprises work with a single IaaS provider today. However, no two applications are exactly the same. An IT organization may find certain providers are better suited to serving certain applications. If the network engineering team needs to start Layer 4-7 cloud networking services from scratch with each IaaS provider, the overhead will overwhelm them.
If a networking team has experience with a particular WAN optimization vendor, those engineers will be a lot more effective if they can deploy the same WAN optimization technology across the private data center and however many cloud providers it engages with, Kindness said.
Layer 4-7 cloud networking services: More work to be done
IaaS providers aren't necessarily the bad guys here, and some experts still have reservations about virtual Layer 4-7 appliances.
"We're on the cusp of real virtualized network services, but we're not all the way there yet," Hanselman said. Many Layer 4-7 services, like VPN tunnel termination, are very computationally intensive, he said. "There is a general view that a lot of this stuff, in order to get reasonable performance, has to be done in hardware."
F5 Networks, the leading ADC vendor, still advocates a hardware-based ADC for complex, large-scale applications. "Then there are a lot of people who disagree with that," Hanselman added.
Startups like Embrane Inc. and LineRate Systems Inc. have introduced technologies that increase the scalability and performance of virtual Layer 4-7 network services. Vyatta Inc. and Zeus Technology (acquired by Riverbed) both offer Layer 4-7 virtual appliances. Many of these vendors can match high-end hardware-based alternatives in performance tests. The availability of multiple IP addresses in public cloud instances from providers like Amazon should boost the abilities of these vendors to serve enterprise customers across both public and private cloud computing environments.
"In the past, enterprises have had to use Vyatta instances in one-armed configurations in order to build your typical tiered architectures," Hanselman said. "Now that you can have multiple IP addresses with EC2 instances, you can start to build real network isolation. Vyatta is not specifically doing load balancing, but it's able to provide enterprise-class network services like VPN termination and sophisticated routing capabilities."
This uniformity of network services in IaaS will also enable enterprises to push new kinds of workloads into the public cloud, Citrix's Smith said. "We see people pushing their virtual desktop infrastructure into the cloud," he said. "That's a workload that Netscaler has well-defined optimizations for, so people can get VDI performance out of the cloud with the same response time they get from a traditional desktop."
Let us know what you think about the story; email: Shamus McGillicuddy, News Director.