By Christer Swartz, Worldwide Consulting Engineer, Data Center, Virtualization, Service Provider
Data centers are changing. The elastic nature of modern application workloads requires data center networks to scale up and out on demand, making it difficult for data center teams to enforce security on workloads as they move across multiple servers, data center locations or clouds.
During several recent customer visits, I have been asked about how Palo Alto Networks can protect links between multiple data centers. Firewalls are normally placed at the perimeter between the data center and the Internet, and also within the data center core network, but how do you protect these back-end links between data centers?
Most modern data centers have interconnect links between geographically separate data center locations to allow workload mobility and enable disaster recovery. A data center may be used to deploy primary resources while one or more additional data centers may be used to deploy backups of these same resources, with workloads that are distributed across these multiple compute locations. This way, if there is a failure in any one data center, your teams can use the others to restore or maintain services without interruption. Enabling high availability and fault tolerance across data centers for mobile workloads is the goal.
Cisco Overlay Transport Virtualization (OTV) or open standard Ethernet virtual private network (EVPN) are examples of data center interconnect links. Managing the mappings between a workload's IP address and its location on a network (as it might migrate across links between data centers) can be controlled via Cisco's Locator ID Separation Protocol (LISP), in which each node has two IP addresses embedded in a single frame—one referring to its identity and the other referring to its current location on the network. This results in workloads moving across both native and tunneled network segments and, when using LISP, potentially having multiple IP addresses.
So, how does a firewall protect such a network fabric? To address this question, you need to keep data center best practices in mind with respect to the deployment of network appliances. In addition, Palo Alto Networks Next-Generation firewalls can be used to enforce security at these inter-data center links, by following specific network-placement guidelines, to ensure the same robust security enforcement at these boundaries as at the others in your data center.
To learn more, read the full data sheet on Data Center Interconnect Links.