Overcoming Challenges with the Modernization of Virtualization Environments with Universal Microsegmentation

Network segmentation solutions with microsegmentation capabilities can help tame today’s evolving virtualized and dynamic Kubernetes environments.

Network segmentation solutions with microsegmentation capabilities can help tame today’s evolving virtualized and dynamic Kubernetes environments.
(Credit: Sergey Novikov / Alamy Stock Photo)

Today, enterprises are increasingly moving away from traditional virtualization platforms in favor of more modern solutions to build cloud-native applications. The shift to cloud-native architectures and the adoption and deployment of containers and microservices have been underway for years. Benefits like enhanced resiliency, scalability, extensibility, agility, and the ability to address many of the limitations inherent in traditional virtualization stacks have driven this transition. Now, this shift has been accelerated.

Rising licensing costs and the limitations of older virtualization platforms – for example, legacy systems not optimized for modern, cloud-native applications – are accelerating this shift. Broadcom’s acquisition of VMware is an example of a recent catalyst, leading many customers to explore more cloud-native and cost-effective virtualization alternatives.

Importantly, Kubernetes can now manage diverse workloads such as containers, virtual machines (VMs), and bare metal across on-premises and public cloud environments. But the traditional network segmentation designed for older virtualization environments cannot be extended to Kubernetes as is; it is designed for static VM environments and ill-equipped for the age of Kubernetes, container-based architectures, and multi-cloud and hybrid environments.

Segmentation is essential for maintaining compliance and enhancing security in environments with shared physical infrastructure. By isolating tenants, segmentation reduces the risk of unauthorized access and ensures that sensitive data is protected, helping organizations meet regulatory requirements and secure their operations.

Here, we’ll explore the issues with traditional network segmentation and walk through how to overcome challenges using universal microsegmentation.

Legacy Approaches and Challenges with Current Segmentation Solutions

As many organizations are modernizing their virtualization environments, they are adopting Kubernetes as a comprehensive orchestrator for managing workloads for their applications both on-premises and in the public cloud. Modern virtualization platforms must support different types of workloads, such as VMs, containers, and bare metals, with Kubernetes for both on-premises and public cloud deployments.

Now, new cloud-native environments have rendered current segmentation approaches and solutions obsolete. Traditionally, enterprises segment their virtualized environments by creating distinct virtual networks and security zones based on function, for example, production, development, and testing environments. They achieve this by implementing VLANs and logical switches for network segmentation and enforcing strict access control policies to isolate and protect sensitive data and applications. Current network segmentation solutions like NSX are effective for traditional VM environments, but their architecture and design are unable to handle the dynamic nature of Kubernetes environments, which decouples infrastructure from tenants and has a flat, open network approach. As Kubernetes workloads are highly dynamic, pods are created and destroyed frequently. Traditional network segmentation solutions simply cannot keep up with the rapid changes in network configurations and policies.

Burgeoning Need for Unified Microsegmentation

Universal Microsegmentation is key for workload observability, security, and performance in new virtualization environments across on-premises and public cloud.

With this, segmentation solutions should include:

Support for different types of workloads: Single Environment: If enterprises migrate the entire footprint of their VMs to a new virtualization platform such as KubeVirt, the segmentation solution should be equipped to support both VMs and containers across on-premises and public cloud environments and handle the flat network created with Kubernetes. It should create workload isolation and security zones for all these workloads as a single policy framework.

Support for different types of virtualization environments: Hybrid Environment: Depending on the organization’s VM footprint and application deployment requirements spread across on-premises and public cloud, network and platform teams may be able to migrate a partial set of VMs to a new virtualization platform that supports both VMs and containers.

One additional consideration: organizations may keep a few VMs in the existing virtualization environment for compliance, security, or business reasons. In such a scenario, a microsegmentation solution must work not only in modern virtualization platforms but also in existing platforms such as vSphere. It should be able to do microsegmentation for workloads (VMs, containers, bare metal) in both on-premises and public cloud environments.

Overcoming Challenges Through Strategic Solution Adoption

Organizations migrating from legacy virtualization platforms to modern virtualization solutions should prioritize adopting a robust, dynamic, and high-performance network policy engine to perform segmentation across both on-premises and public cloud deployments and different workloads from virtual machines, containers, and bare metal.

When searching for a solution to meet their organization’s needs, IT decision makers should look for the following capabilities and benefits for managing different workloads:

  • Unified Security Model: Offers a consistent security model across various environments. A unified security model also simplifies the creation and enforcement of network policies across different types of infrastructure.

  • Dynamic Policy Enforcement: Enables network policies to be dynamically applied as workloads are moved, created, or terminated, ensuring network policies are always up-to-date without manual intervention.

  • Granular Policies: Allows the creation of fine-grained policies for particular workloads in a hybrid environment, providing precise control over allowed and denied traffic.

  • Visibility: Helps administrators eliminate guesswork. Visibility into workload traffic flows to create a comprehensive map that helps administrators eliminate the guesswork involved in understanding workload dependencies and security and compliance gaps.

  • Distributed IDS/IPS: Protects against network-based threats. Decision-makers should look for a workload-centric IDS/IPS that protect against network-based threats by ingesting different threat feeds available by default and custom sources to pinpoint the source of malicious activity in case of a breach.

With a single segmentation solution, users can also lower the overhead of managing multiple segmentation solutions.

Addressing Legacy Challenges with Modern Solutions

The need to manage diverse workloads efficiently and the desire to reduce licensing costs has accelerated enterprises' migration from legacy virtualization platforms to modern virtualization solutions.

Now, current network segmentation solutions for traditional virtualization environments are inadequate for the dynamic nature of Kubernetes. A new segmentation solution must support both VMs and containers across single and hybrid environments spread across on-premises and public cloud. Enterprises can address these needs – ensuring seamless and efficient segmentation for their evolving virtualization environments – by adopting solutions with robust microsegmentation capabilities to achieve universal microsegmentation.

About the Author

Dhiraj Sehgal, Director of Technical and Solution Marketing, Tigera

Dhiraj Sehgal is Director of Technical and Solution Marketing at Tigera, Inventor and Maintainer of Project Calico. His professional experience covers product and technical marketing, product management, customer success, and engineering. In his current role, Sehgal is focused on effectively communicating cloud-native and SaaS-based cybersecurity and network security products and technology to customers. His expertise spans across a wide array of domains, including security, data layers, computing, networking, storage, virtualization, and data management platforms. He is also the proud holder of four US patents in data center technologies, specifically in storage, networking, and servers.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights