One of the recent trends in technology is the movement toward software-defined networks (SDN). With SDN, networking is no longer tied to a specific proprietary device but rather integrated via software. GoGrid has adopted this software defined networking architecture for its new product offerings starting with Dynamic Load Balancers and now with our new Firewall Service.
SDN typically means that the control plane is separated from the forwarding plane and is centralized. This setup is easier to manage and enables a more distributed system. In addition, management of the network is typically programmatic with SDN. In GoGrid’s architecture, for example, management is centralized while the activities are distributed. This design allows for greater resiliency and self-healing capabilities, meaning there’s always a way to return a failed distributed node to its previously stable state. We also enable access to these services via our management console and a public RESTful API.
Although most people think of SDN as it applies to the core (switches and routers), GoGrid’s strategy has been to start at the edge and then work toward the core. Dynamic Load Balancers and the Firewall Service are considered to be on the network edge. However, other services closer to the core, such as Private Network Automation (PNA), have adopted this architecture as well. Details about the Dynamic Load Balancer are explained in this previous blog post.
GoGrid is introducing a new Firewall Service designed to be self-healing and available to all customers in all our data centers. Customers can deploy this service through the management console or API. Having a Firewall Service available to all our customers is an important step in further securing infrastructure in the cloud. Although GoGrid has secured its data centers and has built-in security measures to protect our customers’ infrastructure, our customers want greater granular control of port access for their individual servers. Our new Firewall Service is designed to meet and exceed those needs by making it easy to set up security wherever Cloud Servers are located.
This service comes with several key features:
- Central management
- Global security groups
- Dynamically add and remove servers from security groups
- Define inbound and outbound policies
- Define hierarchical security groups
As opposed to managing host firewalls, that is, firewalls on each server, customers centrally manage GoGrid’s Firewall Service through our management console or the API. This setup saves the time needed to log in to each server and access each one through either SSH or RDP. It also provides for recovery for users who have locked themselves out of their server by blocking the access port. In this unhappy accident, simply open the port that is blocked using the management console or API. Instead of logging into each server to update the host firewall, changes to the Firewall are replicated across all data centers quickly and automatically.
Even if one of our nodes is taken offline, the Firewall Service will continue to run for all the other nodes that are online. There is no single point of failure that would take down the entire Firewall Service. Once the node is brought back online, the Firewall Service will recognize this event and continue to protect the Cloud Servers associated with that node. In fact, even in the unlikely event an entire data center went down, the policies defined in your security groups would exist in our other data centers. Any updates made would instantly sync with the service once that data center is brought back online. This feature makes the Firewall Service an important component of a highly available website solution.
Global Security Groups
One of the key features of this new service is global security groups. When you create a security group, it exists in all our data centers. This capability saves times for users with a consistent policy that is applied to a specific class of server deployed in multiple locations. Inbound and outbound policies can be defined in the security group and applied to any connection associated with it. For customers that have replicated their infrastructure in more than one data center, this feature means that updates to their security group in one location will apply to all locations. Customers can associate Cloud Servers from any data center with a security group. This feature is part of our strategy of building a global fabric for our cloud, which started with CloudLink and extends to new features in this service and future ones.
Dynamically Manage Connections
Our new Firewall Service lets customers add and remove connections (which are a representation of a cloud server IP + interface) from any security group. Customers have the flexibility to move connections from one security group to another should the role of the server change. Note that you aren’t required to use the Firewall Service and have the option of leveraging our other security offerings or simply deploying your own software security solution. This feature also lets customers easily migrate to our Hardware Firewall options, if desired, without having restart or delete their Cloud Servers.
Define Hierarchical Security Groups
In a two-tier web application setup, customers can use the Firewall Service to precisely control inbound and outbound access to their Cloud Servers by defining hierarchical security groups. For example, a customer with several web servers and database servers can also use Dynamic Load Balancers for managing public traffic. The customer can define two security groups, one called “Web” for all the web servers and another called “Database” for all the database servers. The Web security group can be defined to allow traffic on ports 80 and 443 only from the Dynamic Load Balancer VIP. This setup effectively blocks traffic from other IP addresses from accessing servers in the Web security group, even on ports 80/443. The Database security group can be defined to block all public traffic. That means the servers in the Web security group can only communicate with the database servers through the private interface. If public access is needed to the Database security group, customers have the option of opening up a port using the management console and allowing access only to servers in the Web security group. This setup provides security across the different tiers as well as the flexibility to open access to ports when needed and to precisely control which machines can access those ports.
Designed for the Cloud
We built the Firewall Service to take advantage of all the features of the cloud. It’s based on a brand-new SDN architecture that is truly resilient and extremely flexible. This approach lets users add new features as needed and lets us extend its capabilities to provide a broader set of services to our customers. Our goal is to provide a core level of security to all customers that solves most security use cases that don’t require a custom, purpose-built application. If you want to centrally manage your firewalls and better organize your servers with hierarchical security groups, then this service is for you. It’s free to our customers, so be sure to implement it now!