As modern applications require more east-west traffic, organizations must enhance their datacenter infrastructure to meet the new requirements. Modern datacenter architectures are designed to provide the agility, availability, and security that modern workloads require to support an organization's digital objectives amid the rise in cybersecurity attacks. As per IDC's Future of Digital Infrastructure 2022 Global Sentiment Survey, around 57% of respondents were moving to more flexible software-defined networking infrastructure to meet emerging edge computing, distributed data, and mobile/hybrid work strategies.
Increased Data Volumes and Modern Apps Place New Requirements on the Datacenter Network
At the same time, modern application architectures and increased data volumes require better control and visibility at the network edge, where the network and compute merge, to optimize resource usage efficiently. This includes managing CPU, memory, network fabric, inline firewalls, load balancers (ADCs), racks, and power. Technologies like performance-intensive computing (PIC) support complex workloads such as modeling, forecasting, and scenario planning, enabling faster business decisions. IDC predicts that 35% of the G2000 will benefit from investments in PIC by 2026. With server densities and processing power increasing, the need for edge control and visibility grows, and network bandwidth also increases with server adapters and top-of-rack (ToR) switches moving to 25/100Gbps and 100/400Gbps becoming prevalent in cloud datacenter networks.This IDC report explores strategies for effective use of cloud resources through new development, deployment and operational models of service delivery. Learn how to accelerate your move to cloud with multiple cloud resources and cloud service providers.
Growing Wave of East-West Traffic Redefines Security Requirements
The speed and volume of east-west traffic in virtualized and containerized application environments require new security requirements, especially in multitenant scenarios where zero trust security is imperative. Automated and policy-based network segmentation and microsegmentation are necessary, and centralized security appliances are inefficient for expanding traffic flows. Hairpinning of traffic to hardware appliances at the datacenter edge impairs application performance, restricts scalability, increases costs, and adds latency. The datacenter network is critical in enabling or hindering digital objectives, and modernization is necessary to optimize server and storage performance. Failure to modernize compromises the integrity and performance of critical applications.
A Simple, Scalable, Secure Approach to Datacenter Network Automation
Unfortunately, many organizations with dedicated or private cloud environments find themselves hindered by fragmented and inflexible traditional network architectures and infrastructure. These complexities can lead to impaired digital business agility and increased security risks. Traditional network architectures were not designed to handle the highly dynamic east-west traffic volumes of modern applications, and operational models tend to be manual and inefficient.
To address these challenges, a simpler, scalable, and consistent approach to network automation is necessary. Such an approach should be aligned with cloud agility and streamlined operations, allowing organizations to unify, automate, and secure overlay and underlay networking across their distributed application landscape. This unified approach can significantly reduce operational costs and increase business agility by ideally providing a common and unified network fabric across switches and hosts that support heterogeneous infrastructure comprising multiple hypervisors, Kubernetes, and bare metal workloads. In addition, this fabric should encompass distributed security services, eliminating the inefficient and costly clutter of appliance sprawl.
In the past, customers were compelled to choose between performance (speed and throughput) or control and security. However, with increasingly important workloads critical to digital business running on datacenter networks, customers are now rightfully demanding both performance and security from their datacenter networks. With a unified and automated approach to datacenter network automation, organizations can achieve both performance and security, without sacrificing one for the other.
Benefits
A modern datacenter network fabric, with an architecture and operational model that extends all the way to the server, provides a range of benefits such as:
- Faster provisioning: Improved fabric automation and orchestration allows for greater provisioning agility and speed, including better adaptability and flexibility of IT operational models. Extensive automation mitigates the delays entailed by manual interactions involving siloed IT operations teams.
- Simplified, agile network and security operations: Policy-based network automation and orchestration over a unified fabric simplifies the entire life cycle of network operations, from day 0 through day 2/N. Not only is provisioning simplified and accelerated but so is troubleshooting and remediation of issues that can affect application availability and performance.
- Zero trust network security: By delivering advanced services at the network-server edge, infrastructure operations teams can provide protection throughout the network, putting a distributed stateful firewall at every switch port. The result is a reduction in coverage gaps, as well as a diminution of the costly and complex sprawl associated with firewall hardware and software appliances.
- Actionable, proactive insights: Real-time telemetry provides ubiquitous visibility across all east-west datacenter traffic, enabling network operators to detect potential issues before they become serious problems that can affect application performance and availability. The result is a more proactive approach to datacenter operations, resulting in highly performant and optimized applications and digital services.
- No compromise between performance and security: This approach to automating a modern datacenter network fabric solves the dilemma of having to choose between performance and network speed on one hand and fine-grained control and security on the other. Enterprises can now have both, with no compromise to either.
How Hewlett Packard Enterprise Addresses Automation and Security in the Modern Datacenter
Hewlett Packard Enterprise (HPE) offers a datacenter networking portfolio featuring HPE Aruba CX switches, including the HPE Aruba X 10000 Series Switch, the industry's first distributed services switch (DSS). The HPE Aruba CX switches provide robust and scalable hardware and intuitive management tools with a cloud-native operating system designed for modern datacenters. The HPE Aruba CX 10000 is an essential component of the HPE Aruba datacenter fabric, delivering advanced network and security services at the datacenter edge. It integrates with the HPE Aruba Fabric Composer, an API-driven software-defined network orchestration platform that simplifies and accelerates network provisioning, security management, and day-to-day operations. It orchestrates datacenter switches as a single network fabric throughout an automated network life cycle, supporting workflows that abstract and streamline otherwise complex and manual processes associated with datacenter infrastructure.
The HPE Aruba CX 10000 provides a simple spine-leaf underlay overlay network, offering 3.6Tbps of switching capacity, 48 ports of line rate 10/25GbE (SFP/SFP+/SFP28), and 6 40/100GbE ports (QSFP+/QSFP28). It is supported by the Pensando Elba programmable DPU, which provides distributed stateful firewall, zero trust segmentation, and pervasive telemetry for east-west traffic, as well as forthcoming capabilities for stateful NAT and encryption services. In addition, it integrates with various third-party network and security products and tooling, including those for advanced security and performance management. The HPE Aruba Fabric Composer centrally configures switch configurations and distributes firewall policies.
DXC Secure Network Fabric Offering Powered by HPE Aruba CX 10000 Series Switch
Hewlett Packard Enterprise has partnered with DXC Technology, a global service integrator with 130,000+ employees and more than 240 Fortune 500 customers across 70 countries. As part of the go-to-market (GTM) relationship, DXC designs, validates, and delivers to customers a range of use cases for the HPE Aruba CX 10000 through its DXC Secure Network Fabric offering. Customers can take advantage of DXC's expertise in designing, deploying, and managing next-generation datacenter network fabrics utilizing HPE Aruba CX10000, orchestration, and automation capabilities. This partnership enables a symbiotic relationship where DXC provides knowledge of customer requirements to HPE Aruba 's product development, ensuring alignment in providing solutions.
East-West Segmentation Use Case
DXC Technology utilizes the HPE Aruba CX 10000 and HPE Aruba Fabric Composer in its 40+ global datacenters to enhance its security posture with micro-segmentation and improve operations through automation. The Distributed Services Switch architecture enables granular control over the interactions between customer-facing tools and applications, enhancing traffic visibility and security across the entire datacenter fabric. Traffic is inspected directly at the ToR switches, eliminating the need to hairpin traffic to traditional centralized appliances while reducing network congestion and complexity. As additional server racks are added to the pod, aggregate east-west inspection capacity scales accordingly, enabling active/active stateful firewalling with state-sync via VSX. In addition, the HPE Aruba CX 10000 solution includes all stateful services, including firewall, built into every leaf switch in the datacenter, improving the TCO profile relative to a traditional datacenter platform.
Context-aware segmentation policies accommodate the dynamic nature of datacenter virtualization, enabling segmentation rules to be configured based on the virtual workloads' tags or names. This approach ensures that segmentation policies remain effective, even as virtual workloads are spun up, deactivated, or relocated, without requiring manual reconfiguration. The HPE Aruba CX 10000 has visibility to all workload-to-workload communication, enabling granular segmentation across the entire datacenter fabric. Furthermore, all traffic inspection occurs on the switch with hardware acceleration outside the rack servers, ensuring that there is no impact on server resources and minimal latency.
HPE Aruba CX 10000 also includes stateful connection and ALG support, with comprehensive TCP session security checking and DDoS protection as part of the stateful firewall feature set. The policy rules in the solution are implemented in data plane DRAM, removing the TCAM size limitations while maintaining line-speed traffic filtering. This approach allows the switch security policy to scale up to a million rules. By design, HPE Aruba CX 10000 security policy is configured at the entire cluster level, simplifying policy and management. Sites only need to consider who is allowed to talk to whom inside the datacenter when configuring the security policy, and the management plane automatically determines which switch and port must be configured to implement policies for optimized deployment.
The centralized orchestration and automation provided by HPE Aruba Fabric Composer, along with the Pensando Policy and Services Manager (PSM), facilitates the combination of each datacenter switch environment into a single secure fabric with centralized policy management. This integration reduces capital and operational expenses, helping to make the solution cost-effective.
Explore DXC's network services.