By now, we all know due to the rapidly evolving digital transformation, Amazon, Microsoft and Google have all created environments where infrastructure and networking is elastic, on-demand and extremely fast. As part of this three part blog series, exploring AWS, Azure, and Google Cloud, this week we will focus on the benefits and limitations of Microsoft Azure, and how Garland Prisms can work within the platforms to provide additional value to customers by providing packet level visibility in the public cloud. If you’ve just started following along, check out our first post on AWS.
As the No. 2 cloud provider, behind AWS with 15.5% of the market share, Microsoft Azure has an ever-expanding set of cloud services built to help organizations build, deploy and manage cloud applications through a global network of data centers. With Azure’s rapid rise, at a growth rate of 60% year-over-year, the gaps in their application services start coming into focus for cloud architects, including the lack of a virtual tapping solution to get packet visibility to monitoring and security tools.
Illustrating the emergence of Azure cloud as a challenger to AWS’s market supremacy, Microsoft was recently awarded the massive JEDI (Joint Enterprise Defense Infrastructure) contract for the U.S. Defense Department’s public cloud resources. This digital migration will provide enterprise level, commercial Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) to support Department of Defense business and mission operations.
Why is Packet Visibility in the Cloud Necessary?
In public cloud platforms like Azure, security and compliance is a shared responsibility between the platform provider and the user. It’s designed to help relieve a user’s operational burden as the platform itself operates, manages and controls components from the host operating system and virtualization layer, and hosts many security and monitoring applications from 3rd party tool vendors.
So why would packet level visibility be necessary in the cloud? Everything starts with the packet, and IT and security professionals still need this level of visibility and access for their connected applications to detect security anomalies and analyze network performance. This visibility has been notably absent in the public cloud like Azure, leaving IT teams to examine small packet captures for individual hosts using outdated tools such as tcpdump and Microsoft Network Monitor, instead of a complete strategy.
The story is the same rule of thumb as an on-prem network, better visibility allows your organization to make better decisions about the network, from testing and troubleshooting, threat detection and response to network architecture optimization to correctly meet changing operational needs. Tapped packets provide logs, endpoint data, and network data, which is considered the three key data sources for security visibility.
Azure’s Cloud Services has this Covered, Right?
With over 800 listed services in the massive platform, traffic mirroring must be one, right? To great fanfare at Microsoft Ignite 2018, Microsoft announced a “private preview” for the first natively distributed Network TAP available in any public cloud. The Microsoft Azure Virtual Network TAP (vTAP) was set to enable organizations to mirror virtual machine traffic and direct it to out-of-band network tools without having to use packet-forwarding agents.
Unfortunately, Azure’s private preview quietly went cold. With no recent updates on availability, most Azure customers are left with massive blind spots in their network. We have no doubt that Azure will at some point release an updated vTAP, which like the other cloud platforms do a great job as infrastructure based mirroring doesn’t require host memory and CPU cycles.
We have been seeing many customers are finding some major gaps in these infrastructure based traffic mirroring, including:
- Traffic Replication - This is a big one, as most virtual TAP solutions only provide one copy of the packets and with no duplication of that mirror. Some can divide some packets to one tool and the remaining to another, but you cannot send the same packets to two or more places.
- Kubernetes and Container Support - If you haven’t heard, Kubernetes traffic is quickly becoming the single biggest blind spot in cloud.
In these cases, Garland Prisms’ traffic mirroring fills the gaps where current solutions are unavailable or impractical. Garland Prisms packet mirrors both North-South (client server) as well as East-West (inter- and intra- container) traffic. Garland Prisms complements native cloud mirrors, allowing you to provide added visibility and replication [1:N] to multiple destinations. And in the case of Azure users who may not have a true traffic mirroring option, Garland Prisms can provide the easy to deploy, scalable visibility to get your performance and security tools the packets they need.