Many enterprises have adopted cloud computing and virtualization technologies to modernize their data centers. Compared to traditional data centers that depend on physical servers and hardware-based networks, enterprise cloud data centers face greater challenges in network security, VM isolation, and data transmission efficiency.

As the software-defined networking and security component of Arcfra Enterprise Cloud Platform (AECP), Arcfra Network Service (ANS) provides agile and effective network services tailored to the cloud environment, with distributed firewall, load balancer, and VPC networking capabilities.

For a quick overview of ANS, please check out this short video What is Arcfra Network Service.

Challenges for Network and Security in the Enterprise Cloud

As enterprises migrate their data centers from physical servers to an enterprise cloud platform, they may disappointedly find that their existing network security strategies designed for physical hosts and hardware-based network devices fall short in the virtualization environment.

• Expanded service scope: Enterprise cloud consists of multi-site, large-numbered instances with various forms such as VMs or containers. However, devices designed for physical networks (like LB appliances) cannot efficiently manage data traffic in virtualization and containerization environments.
• Dynamic workload locations: In the enterprise cloud, as virtual machines or containers run on different physical servers at different times, the access paths within VM/container networks become increasingly complex and dynamic. This makes it difficult to protect the entire environment only with traditional firewalls, or relying on LB appliances to balance data traffic.
• Rapid object changes: The frequent operations on VMs and containers result in frequent changes in object quantity and attributes (e.g., IP addresses). Therefore, traditional network services that solely rely on IP addresses for identification can be ineffective and entail a heavy burden in network configuration, modification, and management.

Therefore, in the cloud era, the centralized cloud management center should provide software-defined virtual cloud network management services with features including:

• Separate data plane and control plane to improve system stability and resilience.
• Use software-based virtualized network connections and services to reduce dependence on dedicated hardware and lower network design complexity.
• Configurations are based on VMs or containers to simplify operations.
• Distribute traffic processing to eliminate performance bottlenecks.
• Introduce comprehensive cloud traffic analysis to enhance business awareness and quickly discover security risks.

ANS in AECP: A Three-in-One Network Solution for Enhanced Security and Optimized VM Performance

ANS provides software-defined network and security services for AECP, primarily through three key functions: distributed firewall, load balancer, and VPC networking.

Distributed firewall: micro-segmentation based on “Zero Trust” model

Unlike traditional north-south firewalls, ANS distributed firewall protects network security by focusing on the east-west traffic (i.e., data flows between VMs) in the virtualization environment. It implements a micro-segmented network model adhering to the zero trust principle and extends multiple distributed firewall policies to safeguard individual VMs from cybersecurity threats, thus offering a flexible, fine-grained, and robust security solution for a wide range of services.

Features

• Hybrid security policy: Support configuration policies in both allowlist and blocklist simultaneously, enhancing flexibility and simplifying security management. Especially, the allowlist-based security policies ensure that east-west access between virtual machines conforms to the “least privilege” principle.
• One-click isolation of suspected VMs: Isolate suspected and infected VMs with one click, and set dedicated access policies for them to process further operations such as shutdown and recovery.
• VM labels and security groups: Tag virtual machines with “labels” and “security groups” to provide a clear view of security policies. VMs can be dynamically assigned to “security groups” based on label or label combinations, simplifying security policies for non-contiguous IP addresses.
• Sticky policies: Security policies can follow virtual machines as they migrate automatically across hosts and clusters eliminating the need for manual reconfiguration. Security policies are enforced independent of the physical host, segment, and IP address of the virtual machine.
• Visualize VM traffic and the execution of security policies: Collaboratively using Arcfra Network Service and network traffic visualization on Arcfra Operation Center, users can monitor the implementation of security policies, ensuring the effect of security policies meets their expectations.

Benefits

#1 Easy to use

• Support setting network security policies for virtual machine groups using labels, achieving unified management by integrating with the virtualization platform.
• No plugins are required for virtual machines; provide automatic business address discovery.
• Automatically apply security rules according to virtual machine labels.
• Automatically distribute security rules to every node in a cluster without manual maintenance.
• By ensuring policies move with VMs, administrators save significant time and reduce errors during VM migrations, particularly in multi-cluster environments.

#2 High scalability

• Implement the distributed firewall architecture, with policy enforcement and packet processing distributed across each server node, ensuring no performance bottlenecks while providing horizontal scalability.
• Achieve unified network security policy management across clusters and data centers via Arcfra Operation Center.

#3 High availability

• Multiple controller instances form a highly available cluster with no single point of failure.
• Control plane failures do not affect network data forwarding.

#4 Broad compatibility

• No physical network dependencies, supporting any network architecture.
• Supports hybrid deployments on various architecture platforms, including x86, ARM, and more.

Use cases

#1 Securing east-west traffic between services in data centers

Users can configure service labels, security groups, and security policies between different security groups on the management platform. Labels and security groups allow the automatic application of security rules, simplifying ingress and egress traffic control. Newly added VMs only need to be associated with the labels or security groups to automatically inherit application-specific security policies, requiring no need to create new security policies.

#2 Abnormal VM quarantine

Users can use ANS to detect and isolate abnormal VMs in two models.

• Strict quarantine: Completely isolate the abnormal VM from the system network, disallowing access to any ingress or egress traffic. Even if the VM is attacked or breached, this policy can prevent it from affecting other system operations.
• Diagnostic quarantine: Isolate the target VM while allowing it only to communicate with designated objects. Administrators can implement this policy to diagnose or test a specific VM.

#3 Dynamic demilitarized zone

Users can isolate and control individual services with flexible demilitarized zones created via micro-segmentation. With no dependence on dedicated hardware and resources, the software-defined demilitarized zones can be created on shared data center resources, meeting the access requirements of virtual demilitarized zones.

Network load balancer (LB): software-defined Layer 4 load balancing

ANS LB provides Layer 4 load-balancing services for applications running on VMs, containers, or physical servers. It can improve application performance and reliability by evenly distributing data traffic to multiple real servers based on predefined algorithms according to IP addresses and port information in data packages. Leveraging active-active and active-standby mechanisms, it minimizes service downtime through smooth failover and protects applications with access control and QoS (bandwidth and connection limitations).

Features

• Rich load balancing algorithms: Provide a variety of load balancing algorithms catering to the diverse demands of multiple application scenarios, including round-robin, weighted round-robin, least connections, weighted least connections, source IP address hash, and destination IP address hash.
• Comprehensive and proactive health check: Periodically perform proactive health checks on the backend servers via TCP, HTTP, UDP, and ICMP protocols. Support configuring multiple health monitors for the same group of backend servers, enabling a thorough health assessment on server pools.
• Diverse address translation methods: Offer FullNAT and DNAT for flexible address translation choices. Different virtual services within the same cluster can use different address translation methods.
• Application traffic control and concurrent connection management: Allow for setting inbound and outbound traffic limits for virtual services, and regulating the number of concurrent connections between clients and virtual services at a time. This prevents any single virtual service or client from monopolizing excessive resources, ensuring a balanced resource allocation and mitigating the impact of DoS attacks on the system.
• Access control via allowlists and blocklists: Manage client IP addresses with allowlists and blocklists to enhance system security and robustness, safeguarding service resources from malicious requests and potential disruptions.

Benefits

#1 Software-defined

• Purely software-defined, which can support any underlying network architecture.
• No need to purchase, deploy, or maintain dedicated hardware.
• No need to adjust the switch, router, or security configurations in the physical network.

#2 Simple operations and maintenance

• The management and configuration for LB are integrated into the hyper-converged platform, simplifying the operations for administrators.
• Administrators can manage both the infrastructure and load balancer on the Arcfra Operation Center graphical interface.
• Real-time status and performance metrics of all virtual services and server pools are available on Arcfra Operation Center.

#3 Flexible adaptation

• Provides load balancing services for applications running in different locations and forms.
• Supports easy associations with different virtual networks, simplifying network forwarding paths, increasing management efficiency, and reducing forwarding latency.

#4 High availability & efficiency

• Achieve high availability and efficiency through active-active and active-standby mechanisms, avoiding single points of failure while improving service quality.
• Different virtual services are automatically distributed across different load-balancing instances, each consisting of different load-balancing VMs, fully utilizing all load-balancing VM resources.

Use cases

#1 Balancing data traffic and resources across multiple application instances

ANS LB is mainly responsible for network traffic distribution and ensuring that no single server or application instance is overloaded. This is crucial for applications that handle numerous concurrent requests. By distributing data traffic across multiple servers or instances, ANS LB enhances overall processing capacity and reduces response times. Additionally, it dynamically adjusts traffic distribution based on each instance’s existing load and resource utilization to further optimize performance.

#2 High availability and rapid failover for applications

ANS LB continuously monitors the health of real server and application instances. If an instance fails or experiences performance degradation, the load balancer quickly redirects traffic to other healthy instances, maintaining application availability. This rapid failover capability is critical for mission-critical business applications that need to run 24/7.

#3 Applications’ coexistence and migration across heterogeneous IT infrastructure

Many users are migrating applications from physical servers to virtualization or Kubernetes. In this scenario, ANS LB plays an important role as it enables the coexistence and smooth migration of applications between different environments.

For example, ANS LB can simultaneously distribute data accessing one application to both physical servers and VMs, allowing them to run in parallel. After that, with a gradual adjustment of the weight of traffic distribution, all workloads can be migrated to VMs without service interruption. During this process, LB dynamically adapts traffic allocation based on the performance and health status of each instance, ensuring optimal service quality. This is applicable for both physical server-virtualization/container migration and the migration between different virtualization environments, for instance, migrating applications from vSphere VMs to other virtualization platforms.

VPC networking: GENEVE-based overlay virtualized network

Typically, users employ VLANs to isolate VMs within the Layer 2 (L2) virtual network. However, VLAN-based virtual distributed switches are still part of the underlying network (Underlay), which limits their ability to provide application-oriented network isolation, flexibility, and robust support for IT infrastructure high availability.

ANS VPC networking is a virtualized network product that provides secure and isolated network space for VMs in AECP clusters. Building on the GENEVE protocol, an advanced version of VXLAN, VPC networking is fully decoupled from the underlying physical network. It enables secure interconnections inside and outside the virtual network through virtualized network functions (VNFs), allowing users to quickly and flexibly deploy unified enterprise cloud networks across multiple data centers.

Features

• Customized logically isolated space: Enable customizing logically isolated VPCs, allowing you to create dedicated VPC resources, manage subnets, allocate IP addresses, and autonomously control network traffic with gateway services and security services.
• Multiple gateway services: Support configuring floating IP gateways, NAT gateways, Layer 3 routing gateways, Layer 2 bridging gateways, etc., enabling flexible interconnection between virtual machines and external networks to meet the requirements of different applications.
• Well-defined traffic planning: Support configuring routing tables and routing rules for VPC subnets to route traffic heading for destination addresses to specified next-hop gateway services, allowing you to manage VPC traffic models with convenience and ease.
• Reliable network security protection: Support setting distributed firewalls for VPCs, which offers service-aware security policies based on security groups, allowlisting mechanisms that secure east-west traffic between virtual machines, and one-click quarantine of infected VMs.
• Open cloud network collaboration mode: Seamlessly connect with various cloud platforms through open APIs, providing enterprises with automated and flexible network configuration options to better support agile cloud applications.

Benefits

#1 Broad compatibility

• Enable VPC creation on standard servers and generic network devices, reducing hardware dependency and lowering network setup, maintenance, and modification costs.
• Based on the GENEVE protocol (considered an enhanced version of VXLAN), overlay virtualization technology achieves isolation and decoupling between virtual private cloud networks and the underlying physical network.

#2 Rapid network deployment

• Support small-scale deployment with just one cluster, enabling quick adoption of the VPC feature.
• Simply associate the cluster with the virtual private cloud (VPC) network to utilize pre-existing virtual distributed switches on the cluster, seamlessly and quickly integrating it into the VPC network.
• Network operation personnel only need to manage communication between Overlay and Underlay. Layer 3 routing, address translation, Layer 2 bridging, and similar functions are integrated into the VPC gateway VMs, allowing users to configure them independently and flexibly.

#3 Business security

• Network isolation and security protection: VPCs are naturally isolated between different instances. Within a VPC, fine-grained control over VM traffic via security groups, policies, and isolation strategies.
• Cross-site high availability: VMs in VPC networks can relocate quickly without changing IP addresses or network configurations, ensuring seamless business continuity and high availability across multiple sites.

#4 Cloud network unified management

• Manage, configure, monitor, and operate virtual machines and virtual networks seamlessly through Arcfra Operation Center.
• Seamlessly integrate with various cloud platforms via open APIs, offering automated and flexible network configuration options to better support agile cloud applications.
• Arcfra plans to introduce a cloud management platform, supporting multi-tenant resource allocation and autonomous management of cloud hosts and networks for each tenant.

Use cases

#1 Application security guarantee: application-based network isolation

To reduce potential security threats, users need to achieve isolation between different applications or tenants in the cloud while ensuring smooth business access and the solution’s flexibility, agility, and cost-efficiency.

For example, a company has two software development teams, with Team A responsible for developing an online shopping platform and Team B responsible for developing an enterprise resource planning system. In this case, an independent VPC can be created for each development team to deploy the VMs, databases, and other resources needed for their respective projects. The network between these two VPCs is not connected, so Team A members cannot access any resources within Team B’s VPC, and vice versa. In this approach, it forms a business-centric isolation of full-stack resources.

In terms of O&M, VPC significantly simplifies the planning process of VLAN and IP addresses. Traditionally, users need to allocate VLANs and IP address ranges separately for each development team and perform complex configurations. However, with VPCs, each VPC functions as an independent network that can use overlapping IP address ranges and eliminate the need to assign VLANs. Besides, each VPC’s network configuration and management can be handled by its owner, which greatly reduces the complexity of network management and improves O&M efficiency. Additionally, VPC can divide its network into smaller subnets, with each subnet and VM/VM group acting as an independent security zone where users can implement fine-grained security policies.

#2 Improve network flexibility: decoupling from hardware

Leveraging GENEVE-based Overlay network technology, VPC networking can be completely decoupled from the Underlay physical network. All network functions are presented in a virtualized form and managed uniformly through a software-defined approach. This allows users to quickly create various virtual network topologies and services, such as virtual switches, virtual routers, and distributed firewalls, avoiding complex changes to hardware network configuration. As a result, network agility is greatly enhanced, and the time to launch business operations is significantly reduced.

For example, a company uses network devices with different ages and brands across various data centers. These devices can be difficult to be uniformly managed due to significant differences in network architecture and configuration. By using ANS VPC, the company can create virtual private cloud networks with the same logical topology and functionality across multiple AECP clusters, even on different network devices. The configuration and management of the virtualized network are entirely independent of the underlying physical network’s topology and functionality, eliminating compatibility issues.

In this scenario, users can flexibly create and adjust VPC network configurations to meet the frequently changing business needs. In contrast, the modification of traditional physical networks can be more complex and time-consuming.

#3 Efficiently supports cross-site high availability and load balancing

As enterprises expand their business and raise expectations for business continuity, enterprise users often need to deploy applications across multiple geographically dispersed data centers to achieve load balancing, disaster recovery, and wider service coverage. ANS VPC provides a powerful cross-datacenter network virtualization solution, helping businesses seamlessly expand applications to different clusters, racks, server rooms, or data centers while achieving unified management across geographic locations. Users can associate clusters from primary and backup sites through a single VPC network, consolidating resources and simplifying O&M.

The cross-datacenter virtualization network built with ANS VPC can help enterprises with:

• Flexible business expansion: Users can deploy applications flexibly across different data centers according to their needs while ensuring network interconnection and resource scheduling between data centers for rapid business growth.
• Efficient load balancing: VPC networking, combined with cross-data-center load balancing, can distribute data traffic to different data centers according to predefined policies, thereby improving resource utilization and application performance.
• Reliable disaster recovery: In the event of a data center failure, due to the high availability mechanism of AECP, VMs can be quickly migrated to other available data centers and leverage VPC to rapidly restore business operations without additional network adjustments. This helps to minimize business interruption time (RTO) and ensures business continuity.