Recently I was discussing the benefits and drawbacks of virtual appliances, software-defined data centers, and self-service approach to application deployment with a group of extremely smart networking engineers.
Intermezzo: the usual objections
These are the objections I usually get from the networking and security teams:
- The developers have no idea what they need;
- The application teams will misconfigure the firewalls, perhaps adding a “permit any any” at the bottom of an access list when everything else fails;
- Who knows what load balancing algorithm they’ll choose… and then they’ll complain the performance isn’t what they expected;
- Who will manage all those firewalls?
- How will you audit thousands of application-specific firewalls?
Back to Amazon
While we’re seriously pondering the grave implications of allowing uncouth hands to touch the network services devices, and deliberating whether to use packet filters or stateful firewalls, Amazon Web Services solved the problem – you can configure security groups, elastic IP addresses, and elastic load balancing with reasonably simple GUI actions or API calls.
Did Amazon implement every single feature found in an F5 load balancer or Palo Alto firewall? Of course not, but what they offer is good enough to get millions of applications deployed on their infrastructure.
Even more interesting, numerous large enterprises already have live Amazon Web Services deployments (usually done without the involvement of networking or security teams)… and yet there are still questions whether
- We can trust those same application developers to do the right thing when deploying their applications in the private cloud;
- We need fancy hardware-based load balancers and firewalls to support those applications.
We’re clearly doing something wrong.
Be conservative, but not rigid
I would be the last one to tell you to use happy-go-lucky approach to network services and security for mission critical applications or legacy **** that’s lying around your data center.
On the other hand, don’t always try to over-engineer your solution to solve the worst case scenario. There are many applications that need just-good-enough performance and security, and if the business owners think it’s OK to deploy them on AWS, it’s perfectly OK to use the same self-service approach when deploying these applications in your private cloud.