It may seem like an overused idiom, but we think it’s the perfect title for a blog post on Nutanix networking and Flow. Today the journey is well underway. AOS 5.6 released in April and contained VM microsegmentation to increase application security and Flow was officially announced as the vehicle for connecting and securing any application (VM, Container) on any cloud (Public, Private, Hybrid). Nutanix simplified traditional data center infrastructure with HCI and now we bring that same “one click” simplicity to networking and security. In this post, We are going to lay out the journey for Flow at Nutanix, from its headwaters in AHV, winding through microsegmentation, touch on some of the exciting places we will take Flow based on technology from our recent Netsil acquisition and even a gaze over the horizon at our multi-cloud future.
Headwaters: Virtualization for the Enterprise Cloud OS
The story of Flow in Nutanix goes back to AHV, our native hypervisor based on Linux KVM. The foundation of our networking and security technology is based on OVS – an open source virtual switch with proven scale and performance. Since the early days, OVS has been known for rapid innovation and proven scale. We chose OVS because we have always had big plans around networking and the important role it plays in virtualization – even more so for modern distributed applications, hybrid or multi-cloud environments. OVS provided a robust platform to handle our immediate requirements and a rich set of features and functions to develop for the future. Starting with AHV in 2015, OVS has been used under the covers to provide VM virtual networking and support features like our innovative IP address management (IPAM) that is built right into AHV.
Are we there yet?
VM networking in AHV was only the beginning. As of AOS 5.6 released in April, we officially released the first set of features in Flow with the laser focus on making applications more secure and doing it with our “one click” philosophy of simplifying IT. AOS 5.6 includes VM Microsegmentation and Network Service Insertion – all managed centrally through Prism. Flow requires no additional components (management or control) and works seamlessly with our existing Prism management and Acropolis data plane model that our customers love.
We all know that the concept of VM microsegmentation or East-West firewalling isn’t new, so what is different about our approach and what do we mean by App-Centric Security?
Our approach to microsegmentation doesn’t start with networking – in fact it is agnostic to how the underlying network is configured or built. Unlike traditional approaches where you are required to start planning with logical networking as a path to microsegmentation – Nutanix has no such requirements or complexities. We allow you to incorporate microsegmentation with Flow without any changes to existing network configuration – keeping things simple and providing admins and architects to focus on business or application requirements. Our approach starts with visualization and policy and this is where being “app-centric” comes from.
Being “application-centric” is about three key attributes:
- Policy framework with inherent understanding of applications
- Grouping that is based on how developers build their applications (tiering)
- Full visual insight into interaction between different entities inside the application – to eliminate any guesswork in planning and reduce errors that could impact availability.
We firmly believe that the only way to create effective security policy is to start with a solid understanding of what is being secured. In this case, applications. The key is logical grouping of VMs and visibility. Starting with a new management construct in Prism, called Categories, Flow allows the writer to group VMs logically based on some classification. For example, high level groups could be development and production or categories could be used for application tiers like web servers or databases.
In the Flow policy process, once categories are created, policy is placed on categories…NOT on the member VMs. This is an important distinction as it separates the policy and groups from more dynamic network identifiers (i.e. IP addresses). This is a huge reduction in the typical complexity involved with policy creation. The responsibility for understanding end points is removed from the human policy writers and left to the virtualization platform which always knows that information and can automatically update/change policy.
As part of this process Flow includes the ability to visualize the interactions between VMs in categories (Applications). Thus providing another method to simplify the policy exercise. Imagine removing all the guesswork and knowing exactly how each part of an application communicates with the others. That’s what Flow provides – application-centric security based on a unique policy model and granular enforcement via microsegmentation.
Beyond Microsegmentation – Security and more…
We are very aware that there are cases where additional functions are required. For this reason Flow also includes the ability to leverage the same granular policy described above to redirect or tap the “flows” between VMs into other functions or services. Those can be home grown or provided by one of our ecosystem partners. Common use cases are services like third party Firewall Appliances, IPS/IDS for security, and Packet Monitoring among others.
For more details and specific use cases with examples, download our Flow Tech Note.
What’s around the next bend? (Flow + Netstil)
I suspect that what brought you to this blog was some announcements that came out our .NEXT conference in New Orleans. Back in March we acquired a company called Netsil. Cool fact, Netsil is “listen” spelled backwards. Listen is very appropriate, Netsil technology starts by “listening to” the interactions between VMs and services. It uses advanced stream based analytics to provide detailed maps (think Google Maps) of the interactions that essentially make up applications. Netsil tech is going to find its way into multiple areas of the Enterprise Cloud OS, but for Flow it will provide some truly awesome enhancements. We explained the unique policy model we use in Flow above, now combine that with mapping, discovery, and application context from Netsil and you get something truly unique and even more app-centric.
With Netsil, we will automatically discover your applications running inside VMs, understand your application topology to automatically assign categories and recommend (and create) security policies for you, taking the guesswork and complexity out and replacing it with “one click”. Expect to see the combination of Flow and Netsil technologies to be available in the second half of 2018. For a preview of Netsil capabilities, check out this video.
Where to NEXT? (Multi-Cloud)
We have big plans for Flow as we build out more features and services that are part of our focus on running any and all applications in the Enterprise Cloud OS. Expect to see Flow expand into the cloud as part of ensuring that the same application-centric security found on-prem is available everywhere. Our goal is to provide features and functions in support of moving workloads from on-prem to public cloud and back with Flow will provide a consistent security policy and connectivity so that you can operate you multi-cloud environment with One-Click.
Flow is available for purchase or evaluation today. Take a look.
Disclaimer: This blog may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such site.
Forward-Looking Disclaimer: This blog includes forward-looking statements, including but not limited to statements concerning our plans and expectations relating to product features and technology that are under development or in process and capabilities of such product features and technology and our plans to introduce product features in future releases. These forward-looking statements are not historical facts, and instead are based on our current expectations, estimates, opinions and beliefs. The accuracy of such forward-looking statements depends upon future events, and involves risks, uncertainties and other factors beyond our control that may cause these statements to be inaccurate and cause our actual results, performance or achievements to differ materially and adversely from those anticipated or implied by such statements, including, among others: failure to develop, or unexpected difficulties or delays in developing, new product features or technology on a timely or cost-effective basis; delays in or lack of customer or market acceptance of our new product features or technology; and other risks detailed in our Form 10-Q for the fiscal quarter ended January 31, 2017, filed with the Securities and Exchange Commission. These forward-looking statements speak only as of the date of this presentation and, except as required by law, we assume no obligation to update forward-looking statements to reflect actual results or subsequent events or circumstances.
© 2018 Nutanix, Inc. All rights reserved. Nutanix, the Enterprise Cloud Platform, the Nutanix logo and the other products and features mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s).