My Vision of Networking: Cats Everywhere
Micro-segmentation everywhere without full SDN
I’ve read about the benefits of micro-segmentation that VMware NSX and other SDN solutions can provide for quite a while but haven’t experienced them because of costs and complexity. It seems they require your network engineers to all become Python gurus and you either have to pay lots of money for a commercial solution or roll with open source and hope everyone is up for the total paradigm shift… that is unless you just want it inside VMware and then all that’s required is a sack of money (NSX). As a result of this I’d all but given up on the idea for the immediate future.
So, what changed? I read up on Project Calico. Their take on things allows you can bridge the gap between containers, hosts, and even different clouds simply and allows for “A micro-firewall for every workload.” This sounds amazing until you find out that Linux is required. Don’t get me wrong, I love Linux. The thing is though that not every server on most corporate or academic networks runs it.
What is it that I want then?
What I want, and briefly thought I’d found, is something that:
- Provides an easy way to do micro-segmentation without the hassle or costs of a full SDN solutions
- Works for traffic going vm-to-vm, vm-to-host, or host-to-host (sub in container for vm too)
- Works on Windows, Linux, and Mac
- Works across physical, virtual, and cloud infrastructure
- Provides a simple to navigate network across the entire data center including Kubernetes, OpenStack, and the like.
What’s missing from Calico?
Really, Calico does every bit of this except for the multi-OS part. My hope is that the Tigera will take Canal (Calico + Flannel) and extend it to the rest of the data center. If all the major OS’s were supported then it wouldn’t matter if a workload ran in a container or in a VM or on bare metal. It also wouldn’t matter if the VM was atop VMware, Hyper-V, OpenStack, oVirt, or something else since it seems all the needed bits could run inside the guest operating system.
Maybe with Microsoft making both Windows and Linux containers a thing on Server 2016 via Docker the community will find a way soon to do this.
Why do I want this so much?
It really boils down to this:
- Security not just at the edge that’s easy to manage
- So much less complicated than a full overlay network
- Much lower barrier to entry