The ONUG organization has taken a leadership role to advocate for open standards and interoperability across networking technologies that have led to tremendous improvements in automation. Recent years have seen a flurry of network automation projects as organizations improve their network agility to keep up with DevOps, as well as a proliferation of virtual application deployments and container-based microservices. Automated and programmatic configuration of network devices and overlay networks, with technologies such as SDN, have also greatly eased the burden on IT resources and accelerated IT processes.
Amid all the advancements from network automation and orchestration, IT organizations are bumping up against an unexpected challenge. While network infrastructure used to be reasonably static, the new frequency of network changes and the rapid automation from orchestration software has the potential to introduce configuration errors, policy violations and security breaches into the network at warp speed.
Validating network updates and their impacts on existing applications and users is a fundamental task during any change window. As agility and responsiveness become key objectives, we also have to avoid trade-offs in thorough testing, peer-review and other change window processes that could increase the error rate and potential for outages.
To address this challenge, the next major wave of automation projects for IT networking teams is deploying automated verification platforms.
Increasingly, organizations are looking to intent-based networking solutions that have the ability to analyze network changes in real-time and certify designs compared to expressed intent or policy requirements. In a prior ONUG blog, we detailed how network verification differs from traditional testing methodologies. In general, verification is a mathematical analysis of network configurations and state that can certify future behavior against policy violations and breaches, and that ensures full alignment with network intent under all possible traffic conditions and attacks.
Relying on the automated intelligence and analysis techniques of intent-based systems to perform this validation in real-time is proving to be an ideal complement to existing automation projects. Not only because automated changes are now seen to require post-change verification, but leveraging the automated real-time analysis from intent-based platforms allows error-free network updates in minutes, not days or longer.
How are network orchestration and verification platforms typically going to be integrated? Surprisingly, there are very few points of integration required to deploy both systems on a live network. This will allow organizations to easily choose best of breed platforms for their needs and environments without much standardization or vendor integration. Intent-based verification platforms do not rely on the mechanics of the orchestration platform, but rely on data collection from network devices (switches, routers, firewalls and load balancers). A typical workflow would have the orchestration platform updating network devices, and triggering a data collection of all the new device configurations into the verification model. In actuality, the challenge will be to correctly model behavior of network devices from each specific vendor based on configuration settings, rather than integration with individual network orchestration platforms.
Organizations that are now starting to deploy intent-based networking and verification platforms are already reaping the benefits of accelerating their change window processes.
For the first time, they are able to specify their policy requirements and compare that to the modeled behavior of the network. Fewer network experts are required to anticipate and test the impact of updates to existing applications and security policies, while tedious lab testing under artificial conditions can largely be short-circuited.
Network engineers can also leverage the ability of verification platforms to archive network data collections and compare network policies and behavior between any two points in time. This puts a powerful tool into the hands of network engineers to quickly isolate which change could be the source of a particular issue.
Today’s network automation projects are making IT organizations and infrastructure more agile and responsive to business requirements. But there is hesitancy to adopt network orchestration platforms because increasing the rate of change has traditionally meant increasing risk of failures and loss of service. By coupling network automation with emerging intent-based network verification technology, enterprise networks are able to proceed with much more confidence, while reducing risk and still accelerating the speed of operations.