Using firewall rules to migrate business applications to a private cloud
An increasing number of organizations are already taking advantage or planning to take advantage of the many financial and operational benefits that a private cloud has to offer. However, in order to achieve these benefits, IT must take on complex projects to migrate business applications and/or data centers from the physical to the virtual realm.
The outcome of these projects does not always produce the desired effect. Findings from a recent study of 240 information security professionals, network operations and application owners found that more than two-thirds of organizations encounter application connectivity disruptions or outages during data center migration projects. So while the value of a private cloud is not disputed, getting there without hurting the business does cause concerns and anxiety for many organizations.
Before we go any further, let’s take a step back and recognize that business applications fuel the data center and ultimately the business – an outage or disruption can have significant implications on the bottom line. The organization must understand everything that makes up a business application, which typically has a complex, multi-tier architecture, multiple components, and intricate, underlying communication patterns that drive network security policies.
It is also important to recognize that most firewall changes are driven by business application connectivity needs. Understanding the impact of these application changes on the network and vice-versa is critical, as is making sure that all firewall change requests are associated to the appropriate applications. While individual rules support multiple applications, an individual “communication” may need to travel across a few policy enforcement points.
Hundreds or even thousands of firewall rules are involved with this complexity including many potential interdependencies that are configured across tens to hundreds of devices, which support just as many business-critical applications.
It’s hard enough just to roll out a new business application or to make an update that impacts connectivity. Many organizations lack visibility of their application connectivity requirements and the underlying security policies, and these challenges only become magnified when migrating applications or a data center. Here are steps to accelerate and simplify a data center migration project – without taking the business offline:
1. By leveraging existing firewall rules, data center migrations can proceed without any unexpected and bad surprises. Locate and determine all of the firewall rules that refer to the existing server’s IP address and add the IP address of the cloned server to the discovered rules. This allows the existing and the new servers to work simultaneously.
2. Once both physical and virtual servers are enabling the proper connectivity, application engineers can then reconfigure all of the applications’ components to use the new IP address.
3. After this is achieved and all of the application components’ connectivity paths have been reconfigured and tested, the original server can be safely shut down and all of the references to its decommissioned address from the firewall rules can be removed.
Remember that even in the most poorly documented data centers, firewall rules can provide vital information regarding which applications will be affected when a server is migrated and which groups of servers will benefit the most from being migrated concurrently. Using existing firewall rules in this manner can help get to a private cloud faster, without disruption.