A couple of weeks ago I was asked to speak at the Cloud Computing Conference in Tel Aviv to present the Radware cloud ready Virtual Application Delivery Fabric. With some luck, I had a fortuitous meeting with the conference organizer prior to the event. I was able to discern the hot issue for the attendee base: security. The reason was clear as a prominent website suffered a highly publicized series of cyber attacks just prior to the convention.
Why fortuitous you ask? It gave me the chance to understand attendees’ interest in security, and in turn use the
opportunity to explain how ADC virtualization should be done differently in the cloud than in the private data center. By this, I mean preventing the weakest link, a single customer from taking down the entire infrastructure and affecting other customers residing on the shared network. The most important reason for using cloud services is cost savings. Cloud services achieve this cost saving by sharing infrastructure resources. For example, running multiple virtual machines on a single physical server, or sharing storage, or sharing ADCs.
Most customers would assume their cloud services and data are isolated from other hosted cloud services and customers; this is probably true in the logical sense that neighboring customers won’t have access to their servers and data, but what happens in the case of a DDoS attack on a neighboring hosted website or service? During the attack, the neighboring website receives a massive amount of traffic, which overloads its infrastructure resources and takes it down; this includes the application, the server and the ADC in front of it. Now, even if the cloud provider has isolated the different hosted services on the network level, and configured different routing domains per service in the ADC, the ADC processing capacity is still shared, and an attack through one of the ADC services will consume all of its processing resources and bring down all sites using the same shared ADC.
How does the DC administrator prevent this? Implement a VADF (virtual Application Delivery Fabric), cloud computing should simply use the same methodology as used by server/storage virtualization: Use a hypervisor layer on top of the ADC computing resources which will isolate each service not only on the network logical layer (e.g. as done with routing domains), but also isolate each service running through the ADC fabric and guarantee their capacity, computing resource and guarantee overall SLA. If a hosted websites is under a DDoS attack, other websites sharing the same physical ADC will still receive their guaranteed processing resources and won’t be affected by attacks on their neighbor.
Still, a question remains: how can an ADC virtualization solution be scalable and cost effective? For a solution to be feasible in the cloud environment it must provide high enough density of virtual ADCs per computing resource, consume as little physical footprint in the cloud datacenter as possible and reduce the cost per customer. The ADC virtualization solution should also converge into the cloud’s management and orchestration systems. Provisioning and maintenance of the ADC service per customer must be done in full correlation with all other elements of the cloud computing resources and be able to scale on demand.
Radware’s Virtual Application Delivery Infrastructure (VADI™) solution for the cloud addresses all of the above. The virtual ADCs running on any of the Alteon-VX models provide full isolation of applications, and guarantee the computing resources and capacity per virtual ADC instance even when under massive attack. Moreover, with a density of up to 256 vADCs per Alteon-VX device and the ability to cluster, cloud providers can achieve a cost effective ADC virtualization fabric with minimal footprint in their datacenter. The VADI solution also includes another important component – the vDirect plug-in provides for complete integration into the data center’s eco system, which enables streamlining the ADC service provisioning together with the other cloud service components, through smooth integration with any cloud management and orchestration systems.
In closing, a family would not be happy if a neighbor in their housing complex used up their allocated water supply, and then just tapped into the neighborhood supply and used all of the water for the entire community. There needs to be measures of control. Landlords just like cloud service providers must be able to guarantee isolated availability of resources.