Packets, Paths, Policies: 2019

Sunday, December 1, 2019

Microsegmentation in Data Centers: Trends and Implementation in 2019

December, 2019 • 7 min read

As data center environments evolve, the need for granular control over east-west traffic grows. In 2019, microsegmentation emerges as a cornerstone of data center security, offering organizations a method to contain threats, enforce policy, and gain visibility across virtualized and hybrid infrastructures.

Understanding Microsegmentation

Microsegmentation refers to the practice of creating secure zones in data centers and cloud environments to isolate workloads from one another and define security controls down to the workload level. Unlike traditional segmentation that operates at a VLAN or subnet level, microsegmentation works at the application and VM level.

Drivers of Microsegmentation in 2019

Several trends have driven interest and adoption:

East-West Traffic Growth: Lateral traffic in data centers now vastly exceeds north-south traffic, and legacy firewalls can't efficiently monitor this.
Zero Trust Architectures: The need to verify and authenticate traffic inside the network aligns with microsegmentation’s enforcement capabilities.
Virtualization and Hybrid Cloud: Workloads move dynamically across environments, and static controls are no longer sufficient.
Compliance Requirements: Regulations like PCI-DSS and HIPAA require strong internal data isolation and auditing.

Approaches to Microsegmentation

Organizations in 2019 typically adopt one of the following:

Agent-based: Deploy agents on workloads to enforce policies regardless of network topology.
Hypervisor-integrated: Solutions like VMware NSX leverage the hypervisor for granular flow control.
Overlay-based: Use overlay networks with integrated policy engines to manage segmentation independently of physical infrastructure.
Network-based: Leverage next-gen firewalls or SDN to apply policies at the network layer.

Use Cases and Benefits

Effective microsegmentation helps in several ways:

Application Isolation: Prevent unauthorized access between services.
Threat Containment: Stop lateral movement of threats like ransomware.
Policy Enforcement: Centrally define and enforce rules based on workload identity.
Visibility: Gain insights into traffic flows and application behavior.

Challenges and Pitfalls

Despite the benefits, challenges remain:

Operational Overhead: Implementing and maintaining policies requires effort and visibility.
Policy Complexity: With fine-grained rules, mistakes or gaps can create outages or blind spots.
Integration: Aligning microsegmentation with existing tooling and infrastructure can be complex.

Market and Vendor Landscape

In 2019, several key players shape the microsegmentation market:

VMware NSX: Broad adoption in virtualized data centers with integrated firewall capabilities.
Illumio: Agent-based solution focusing on adaptive segmentation and visualization.
Cisco Tetration: Focuses on telemetry and policy enforcement across hybrid environments.
Guardicore Centra: Provides visibility and segmentation for both on-prem and cloud environments.

Strategic Considerations

Before implementation, organizations should:

Map application dependencies and flows.
Start with a visibility phase using monitoring tools.
Pilot segmentation in a test environment or with low-risk apps.
Define operational ownership between security and infrastructure teams.

Conclusion

Microsegmentation in 2019 offers a practical path to Zero Trust and improved security posture. With virtualization and hybrid models becoming the norm, traditional perimeter models fall short. Microsegmentation enables organizations to defend from within and enforce meaningful, workload-centric policies that align with today’s dynamic environments.

Eduardo Wnorowski is a network infrastructure consultant and Director.
With over 24 years of experience in IT and consulting, he helps organizations maintain stable and secure environments through proactive auditing, optimization, and strategic guidance.
LinkedIn Profile

Wednesday, November 20, 2019

Microsegmentation Part 3: Monitoring, Compliance, and Future Evolution

November, 2019 | 10 min read

In this final installment of our deep dive into microsegmentation, we explore how to maintain visibility, ensure compliance, and prepare for future evolution in the security landscape. While the first two parts laid the architectural foundation and discussed deployment strategies, this post focuses on operationalizing microsegmentation at scale.

Security Monitoring in Microsegmented Environments

Microsegmentation introduces a wealth of telemetry opportunities. Once flows are isolated and controlled, visibility into lateral movement becomes clearer. Modern security teams employ:

NetFlow/sFlow analytics: To track East-West traffic patterns across microsegments.
Log correlation platforms: Integration with SIEMs to surface policy violations or anomalous patterns.
Behavioral analytics: Machine learning models that baseline expected behavior within segments.

These tools, when aligned with the segmentation strategy, help avoid blind spots and alert on misconfigurations or breaches in real time.

Ensuring Continuous Compliance

Many microsegmentation projects stem from compliance mandates such as PCI-DSS, HIPAA, or GDPR. Post-implementation, security teams must establish mechanisms to validate that policies remain enforced. This includes:

Automated compliance checks: Daily scans to detect deviations from approved segmentation blueprints.
Audit trails: Immutable logs of policy changes and justifications.
Policy version control: Integration with Git or config management tools to enforce controls.

Automating these processes reduces the risk of drift and improves audit readiness.

Common Pitfalls and How to Avoid Them

Even well-structured microsegmentation rollouts can fail without sustained oversight. Common issues include:

Policy sprawl: Too many granular rules lead to complexity and brittleness.
Change management friction: Inflexible rulesets hinder operational agility.
Visibility decay: Lack of refresh on network baselining leads to missed threats.

To mitigate these, organizations should periodically review policies, sunset obsolete rules, and revalidate flows with evolving business needs.

Microsegmentation and Zero Trust Architecture

Microsegmentation plays a foundational role in Zero Trust initiatives. By default-denying all flows and enforcing identity-aware policies at the workload level, organizations align with Zero Trust principles. Key integrations include:

Identity Providers (IdPs): Map users and roles to specific segments or applications.
Multi-factor enforcement: Apply step-up authentication within sensitive segments.
Session awareness: Tie segmentation decisions to session context and device health.

This evolution blurs the lines between traditional network security and identity-driven access control.

Future Trends: AI, Automation, and Dynamic Segmentation

As cloud adoption accelerates and hybrid environments grow, the future of segmentation lies in adaptability. Key trends shaping the evolution include:

AI-driven policy generation: Algorithms that recommend or auto-generate rules based on observed behavior.
Intent-based segmentation: Business-level abstraction of security intent translated into technical policies.
Dynamic controls: Policies that adapt based on risk scoring, location, or workload status.

These advancements promise to reduce operational burden while increasing the precision of control enforcement.

Conclusion

Successfully implementing microsegmentation requires more than just architectural decisions—it demands continuous monitoring, compliance diligence, and a vision for the future. Organizations that embrace its principles, integrate with identity, and leverage automation will be best positioned to manage risk in modern, dynamic environments.

Friday, November 1, 2019

Network Automation in 2019: Tools, Frameworks, and Real-World Applications

November, 2019 • 8 min read

In 2019, network automation continues to mature as organizations seek to improve operational efficiency and reduce human error in complex IT environments. Automation is no longer an optional add-on — it is a critical enabler for scalable, secure, and agile infrastructure.

Why Network Automation Matters

Enterprises today manage networks that span multiple data centers, public and private clouds, and hundreds of branch sites. Manual provisioning, configuration, and troubleshooting are slow and error-prone. Automation addresses these challenges by enabling consistent, repeatable, and validated network operations.

Key Drivers in 2019

Increased adoption of DevOps practices
Cloud-native infrastructure and API-first design
Advances in programmability across platforms
Pressure to reduce downtime and Mean Time to Repair (MTTR)

Popular Tools and Frameworks

The automation toolkit in 2019 is diverse and powerful. Engineers have access to vendor-agnostic and platform-specific options, including:

Ansible: Widely used for configuration management, provisioning, and orchestration. Modules for Cisco, Juniper, Arista, and more are available.
Python with Netmiko/NAPALM: Offers low-level control and scripting capabilities for network devices via SSH and APIs.
Terraform: Infrastructure as Code (IaC) framework increasingly applied to network infrastructure, especially in cloud environments.
SaltStack and Puppet: Gaining traction for structured policy enforcement and centralized automation control.

Real-World Applications

In real deployments, network automation solves specific business challenges. For example:

Automated VLAN provisioning across hundreds of branch switches
On-demand firewall rule changes via a self-service portal
Continuous compliance checks and drift remediation
Zero-touch provisioning (ZTP) of SD-WAN edge devices

API-First Platforms and Open Standards

Modern network devices and controllers expose RESTful APIs and support JSON/YAML payloads, making integration with automation frameworks easier. Platforms like Cisco DNA Center, Juniper Contrail, and VMware NSX offer northbound APIs for developers to automate and orchestrate workflows.

OpenConfig and gNMI protocols further enable intent-based networking and real-time telemetry collection, allowing operators to build closed-loop automation systems that can act on live data.

Challenges and Considerations

Despite the benefits, challenges remain. Teams must address:

Skills gap in programming and automation design
Toolchain fragmentation and lack of standardization
Complex integration across heterogeneous platforms
Risk of automation errors without proper validation or rollback

Effective network automation requires not only technical tooling, but also cultural adoption, governance, and collaboration across teams.

The Road Ahead

As we look toward 2020, network automation evolves beyond simple scripts and CLI templating. The industry moves toward autonomous networks, intent-driven architectures, and AIOps integration. Tools become smarter, more declarative, and more deeply integrated into CI/CD pipelines.

Organizations that invest early in building automation capabilities are positioning themselves for faster innovation, improved resilience, and reduced operational costs. In 2019, automation is no longer the future — it is the present.

Tuesday, October 1, 2019

Network Function Virtualization: Beyond the Hype

October, 2019 · Reading time: 8 minutes

By late 2019, Network Function Virtualization (NFV) has matured from an experimental concept into an essential component of modern service provider and enterprise architectures. The initial enthusiasm gave way to cautious evaluation, then to more deliberate adoption. This blog dives into where NFV stands now, what problems it solves today, and what it means for the future of network infrastructure.

NFV: A Quick Recap

NFV decouples network functions—like firewalls, load balancers, or WAN optimization—from proprietary hardware, enabling them to run as virtual machines or containers on commodity x86 servers. The goal is to improve agility, reduce capex/opex, and align network infrastructure with cloud-native principles.

Real-World Use Cases

Today, service providers use NFV to deploy virtual customer-premises equipment (vCPE), virtual evolved packet cores (vEPC), and virtual firewalls. Enterprises rely on NFV for branch connectivity, integrated service chaining, and elasticity in multi-site WANs.

Operational Benefits

Rapid provisioning and scaling
Centralized management via orchestration platforms like ETSI MANO
Improved service agility and reduced time-to-market
Hardware lifecycle decoupled from software innovation

Challenges and Constraints

Despite its potential, NFV adoption has seen delays. Performance concerns (especially for stateful functions), orchestration complexity, and interoperability gaps continue to plague large-scale NFV rollouts. Some organizations find that traditional appliances still outperform VNF equivalents for packet-intensive workloads.

NFV and SDN: Friends or Foes?

NFV and Software Defined Networking (SDN) are often confused or conflated. While SDN separates control and data planes to centralize policy, NFV focuses on virtualization of specific network services. Together, they offer powerful synergies, especially when orchestrated using a unified platform such as ONAP or OpenStack Tacker.

Deployment Models

Single-VNF on Single VM: Easy to deploy but less resource efficient
Multi-VNF Service Chains: Enables complex policies and services
Containerized VNFs (CNFs): A rising trend, especially in Kubernetes environments

Vendor Landscape

Leading vendors have adapted their product lines to support NFV. Cisco, Juniper, Nokia, and VMware all offer robust VNF portfolios and orchestration tools. Open-source initiatives like OPNFV and Open Baton have also driven innovation, helping standardize interfaces and improve VNF validation.

NFV in Hybrid Environments

Many enterprises mix physical and virtual appliances, blending traditional routers with NFV-based firewalls and WAN optimizers. Hybrid models allow for incremental transitions, enabling gradual migration without massive forklift upgrades.

Future Outlook

Looking ahead, NFV continues to evolve. The rise of 5G, edge computing, and containerization will further shape the role of virtual network functions. As Kubernetes-native networking matures, we expect many legacy VNFs to be refactored into CNFs, optimized for microservices and horizontal scaling.

Sunday, September 1, 2019

Data Center Modernization: Aligning Virtualization, Automation, and Resilience

September, 2019 • Reading Time: 9 min

As the pace of IT transformation accelerates, modernizing the data center becomes an imperative for organizations aiming to remain competitive, secure, and agile. In 2019, many enterprises face the reality of legacy architectures that struggle under the weight of cloud-native demands, hybrid deployments, and increasing pressure for automation. This post explores a modern approach to data center evolution—balancing virtualization, automation, and operational resilience.

Shifting from Hardware-Centric to Software-Defined

Traditional data centers heavily rely on purpose-built hardware, with rigid silos for compute, storage, and networking. This model no longer supports the velocity of modern IT needs. The shift to software-defined infrastructure—where virtualization abstracts compute, storage, and network resources—creates a more flexible and programmable foundation. VMware, Hyper-V, and KVM remain key virtualization technologies, but software-defined storage and software-defined networking are gaining significant traction.

Automation: The Backbone of Modern Operations

Virtualization introduces flexibility, but without automation, operations remain cumbersome. Organizations deploy orchestration platforms like vRealize Automation, Cisco UCS Director, or Ansible Tower to streamline provisioning, policy enforcement, and lifecycle management. These tools reduce human error, improve time-to-deploy, and establish consistent environments. Automation also lays the groundwork for Infrastructure as Code (IaC), where infrastructure templates are stored in version-controlled repositories.

Resilience through Microsegmentation and High Availability

Modernization efforts must address both agility and resilience. Traditional perimeter defenses are insufficient; segmentation within the data center is vital. Tools like VMware NSX or Cisco ACI support microsegmentation, limiting lateral movement and enabling granular control. Additionally, technologies such as clustered hypervisors, distributed storage (vSAN, Ceph), and load-balanced application layers ensure high availability even during hardware failures.

Hybrid Cloud Integration

Enterprises increasingly embrace hybrid cloud strategies—extending workloads to AWS, Azure, or private clouds. A modern data center should support workload mobility, seamless identity management, and unified monitoring. Solutions like Azure Stack, VMware Cloud on AWS, or Cisco CloudCenter help orchestrate workloads across environments. Hybrid readiness also demands robust WAN architectures, often supported by SD-WAN overlays.

Monitoring, Analytics, and Capacity Planning

Data center modernization also requires enhanced visibility. Legacy monitoring solutions fall short in dynamic environments. Tools like Prometheus, vRealize Operations, and AppDynamics provide real-time performance data, anomaly detection, and predictive analytics. Capacity planning shifts from static sizing to dynamic modeling—forecasting future demands based on actual usage patterns.

Security Integration Across the Stack

Security must be embedded at every layer. Modernized environments integrate security into CI/CD pipelines, enforce policy via automated templates, and use behavioral analytics to detect threats. Endpoint Detection and Response (EDR), Data Loss Prevention (DLP), and automated incident response are becoming standard. Integration with SIEM platforms like Splunk or ELK allows centralization of security telemetry.

Migration Strategies and Operational Readiness

Data center modernization is often phased. Initial steps include assessing legacy systems, identifying quick wins, and building modernization blueprints. Lift-and-shift migrations, refactoring, or re-platforming decisions depend on workload criticality and refactoring cost. Pilot programs help validate architectures, with fallback mechanisms ensuring business continuity. Teams must also update skill sets and adopt DevOps principles to fully realize the benefits.

Conclusion

Modernizing the data center is not a one-time event—it is an ongoing journey that aligns infrastructure with business goals. Organizations that embrace virtualization, automation, and resilience position themselves to thrive in a cloud-integrated, security-conscious, and performance-driven landscape.

Looking to modernize your own data center?
Start with a clear assessment of legacy pain points, identify automation opportunities, and align your IT strategy with your business roadmap. Your transformation journey starts today.

Thursday, August 1, 2019

Privileged Access Management in Hybrid Environments

August, 2019 - Reading time: 8 minutes

Organizations increasingly operate in hybrid IT environments, blending on-prem infrastructure with cloud services. With this architectural shift, managing privileged access becomes a critical concern. In August 2019, this topic remains highly relevant as more enterprises explore zero trust architectures and adopt modern PAM (Privileged Access Management) approaches that span legacy and cloud-native resources.

Understanding Privileged Access

Privileged access refers to the ability to perform administrative actions, bypass standard security restrictions, or manipulate system-level resources. Examples include domain administrators, root users on Linux systems, and subscription owners in cloud platforms.

In hybrid environments, privileged identities extend across:

On-prem Windows Active Directory accounts
Cloud admin roles (e.g., Azure Global Admin, AWS root)
SaaS platform admins (e.g., M365, Salesforce)
Application-level superusers and DBAs

Challenges of PAM in a Hybrid World

Managing these identities consistently across silos is not trivial. Challenges include:

Shadow Admins: Accidental over-permissioning through group memberships or legacy policies
Credential Sprawl: Untracked use of local admin accounts or embedded credentials in scripts
Audit Gaps: Limited visibility into who accessed what, when, and why
Cloud Drift: New IAM roles and policies created in cloud platforms without oversight

Modern PAM Approaches

Leading PAM solutions in 2019 (e.g., CyberArk, BeyondTrust, Thycotic) begin supporting hybrid environments with:

Session recording and keystroke logging for both cloud and on-prem access
Just-in-time (JIT) elevation tied to approval workflows
Integration with cloud-native identity providers (e.g., Azure AD)
Credential vaulting for apps and scripts
Federated access controls across IaaS, PaaS, and SaaS platforms

Zero Trust and PAM

In 2019, zero trust principles start shaping PAM strategies:

Never trust—always verify privileged users even inside the network
Enforce MFA for all admin access attempts
Limit admin privileges to specific tasks and time windows
Audit all actions at the session level

Best Practices

Conduct regular privilege audits across all environments
Apply role-based access control (RBAC) and least privilege principles
Rotate credentials frequently, especially for shared service accounts
Use jump servers with strong authentication for high-value systems
Eliminate local admin rights on workstations unless explicitly approved

Looking Forward

The hybrid nature of IT is not going away. PAM strategies must adapt to span containers, serverless functions, and identity federation across partners and clouds. Expect more vendor consolidation, native cloud PAM capabilities, and AI-enhanced anomaly detection in privilege sessions.

Saturday, July 20, 2019

Microsegmentation Part 2: Implementation Strategies and Pitfalls

July, 2019 | 9 min read

Introduction

As organizations transition from microsegmentation theory to implementation, new challenges and opportunities arise. This post builds on the foundational concepts introduced in Part 1, focusing on practical strategies for deploying microsegmentation across diverse network environments.

Choosing the Right Segmentation Model

The success of microsegmentation heavily depends on selecting the appropriate model. Organizations typically choose between agent-based, hypervisor-based, and network-based segmentation approaches. Each has distinct pros and cons depending on environment, workload type, and compliance requirements.

Agent-Based Approaches

Agent-based microsegmentation offers deep visibility and enforcement at the workload level. Solutions like Illumio or Guardicore rely on lightweight agents installed on endpoints to monitor and enforce policies. This model is especially effective in hybrid cloud deployments where traditional network perimeters no longer apply.

Hypervisor-Level Control

VMware NSX exemplifies hypervisor-based segmentation. By embedding controls at the virtualization layer, organizations can apply policy enforcement between VMs regardless of IP schema or physical location. This model is ideal for large virtualized data centers seeking granular east-west traffic control.

Network-Based Solutions

Traditional network appliances—firewalls, ACLs, segmentation switches—still play a role. Cisco’s TrustSec, for example, enables role-based access controls through network fabric integration. While less granular than workload-based methods, this approach can scale efficiently when paired with dynamic policy orchestration.

Policy Definition and Lifecycle

Defining policy is both a technical and organizational task. Policies should reflect business context, application criticality, and threat models. A zero trust posture suggests starting from deny-all, then allowing only what’s explicitly required. Continuous monitoring and policy refinement must follow initial implementation.

Tooling and Ecosystem Integration

Modern microsegmentation tools integrate with SIEMs, orchestration platforms, and CI/CD pipelines. Visibility platforms like Stealthwatch or ExtraHop help validate segmentation effectiveness. Automation and feedback loops reduce operational overhead and improve response to configuration drift or new threats.

Challenges and Pitfalls

Overly aggressive policies: Starting with blanket denials can break application dependencies if not thoroughly mapped.
Blind spots: Legacy systems or unmanaged workloads often fall outside segmentation scope.
Operational fatigue: Poorly planned implementations can lead to alert fatigue or rule sprawl.
Lack of stakeholder alignment: Without cross-functional buy-in, enforcement gaps or rollback pressures may arise.

Best Practices for Rollout

Begin with visibility mode. Use the first few weeks to analyze traffic flows and refine your application maps. Then, implement policy in stages—starting with non-critical workloads—and validate behavior. Enable enforcement gradually and monitor impacts.

Microsegmentation for Containers and Cloud

Microsegmentation in Kubernetes environments differs fundamentally. Tools like Calico, Cilium, and service mesh frameworks (e.g., Istio) provide identity-based segmentation at the pod or namespace level. In public clouds, security groups and native firewalls play key roles, though layered controls are often necessary.

Conclusion

Microsegmentation offers powerful controls but demands clear strategy, strong visibility, and continuous governance. The next and final post in this series will explore real-world case studies and advanced integration techniques to help mature your deployment model.

Monday, July 1, 2019

Legacy Systems, Modern Demands: Approaches to Mainframe Integration

July, 2019 | Reading Time: ~9 mins

Mainframes still run critical workloads in sectors like finance, government, and manufacturing. Despite being decades old, they continue to demonstrate unmatched reliability, scalability, and transactional performance. However, modern business demands – APIs, mobile access, cloud-native applications – require seamless integration between these legacy systems and modern platforms.

Understanding the Legacy Landscape

Many mainframes support COBOL, assembler, or RPG-based applications written in the 70s, 80s, and 90s. These applications are typically monolithic, highly optimized, and mission-critical. They often rely on terminal emulators or proprietary protocols like TN3270 for access.

Challenges include:

Rigid interfaces and lack of modularity
Limited documentation and tribal knowledge
Performance risks in exposing core services externally

Modern Integration Approaches

To meet evolving IT requirements, organizations take various integration paths:

1. API Wrappers

Middleware tools can expose mainframe functions as RESTful APIs. These wrappers encapsulate legacy processes and allow mobile or web clients to invoke them securely without altering the base code.

2. MQ and Messaging Layers

IBM MQ, RabbitMQ, and other message brokers facilitate asynchronous communication between distributed services and mainframes. This decouples traffic spikes and improves system resilience.

3. ETL for Batch Processing

Data-centric systems often use extract-transform-load (ETL) pipelines to synchronize mainframe data with modern analytics platforms or data lakes for reporting and machine learning.

4. Coexistence via Hybrid Cloud

Hybrid approaches let mainframes handle core processing while cloud-native applications augment capabilities such as user interfaces, orchestration, or analytics. This balances stability and innovation.

Case Studies from the Field

A large bank exposes its credit evaluation logic via secure APIs to its mobile app, enabling real-time loan pre-approvals. Another government agency replicates mainframe data hourly to the cloud, providing constituents with real-time case status updates.

These examples show how mainframe integration unlocks agility while preserving core strength.

Security and Governance

Legacy systems often lack modern security postures. Integration requires strict identity management, encrypted communication, and API gateways to prevent unauthorized access or denial-of-service attacks.

Role-based access controls (RBAC), zero trust principles, and token-based authentication must wrap all exposed services.

Choosing the Right Strategy

There’s no one-size-fits-all. Factors influencing the strategy include:

Age and maintainability of mainframe applications
Risk tolerance and compliance landscape
Scalability requirements
Available integration tooling and expertise

Tools and Vendors

Popular tools include IBM z/OS Connect, Rocket LegaSuite, MuleSoft, and Red Hat Integration. Each addresses different portions of the integration stack – from protocol translation to data synchronization and orchestration.

The Road Ahead

Mainframe integration is not a modernization effort in isolation. It’s part of a broader enterprise digital strategy. With disciplined APIs, robust governance, and smart architectural decisions, organizations can turn legacy into leverage.

Saturday, June 1, 2019

Container Networking: Bridging Kubernetes, Service Meshes, and Traditional Networks

June, 2019 | Estimated Reading Time: 8 minutes

Introduction

As container adoption grows in production environments, the network layer supporting these workloads becomes increasingly important. In June 2019, organizations running Kubernetes-based workloads face real operational questions around service discovery, mesh integrations, east-west traffic management, and legacy interconnectivity.

The Shift to Container-Centric Networking

Traditionally, network teams handled L2–L4 connectivity with clear demarcation between application and infrastructure. However, in a containerized world, developers rely heavily on overlay networks, DNS-based discovery, and dynamic ingress/egress configuration. Kubernetes-native networking is built on simplicity, but scaling it introduces new challenges.

Kubernetes Networking 101

Kubernetes uses a flat IP model, where every pod gets its own IP address and can communicate with any other pod. This simplicity masks real-world complexities involving CNI plugins, node boundaries, NAT traversal, and multi-cluster federation. Most clusters at this point use either Calico, Flannel, or Cilium as their CNI provider.

Service Mesh: Abstraction or Complication?

Service meshes like Istio, Linkerd, and Consul add policy control, observability, and traffic shifting capabilities. By injecting sidecar proxies into pods, they allow features like mTLS, retries, circuit breakers, and telemetry without application changes. But the networking implications are non-trivial — double hops, port management, and overlapping namespaces create new attack surfaces and operational risks.

Integrating with Traditional Network Domains

Real-world environments still include databases, mainframes, and third-party APIs not hosted in Kubernetes. Bridging container overlays with existing VLANs, firewalls, and routers requires precise ingress routing, often implemented via Envoy or NGINX gateways. East-west and north-south policies must be defined in both network ACLs and mesh rules, leading to potential drift if not carefully audited.

Network Policy and Microsegmentation

Network security in Kubernetes relies on enforced network policies. Calico and Cilium provide policy engines that allow pod-level segmentation, namespace isolation, and flow visibility. As DevSecOps matures, these policies must reflect dynamic application boundaries, rather than static IPs or ports.

DNS and Service Discovery

Kube-DNS or CoreDNS provide service discovery for pods via internal DNS. However, hybrid environments often rely on external DNS resolution, load balancers, or IPAM systems. Managing dual DNS zones for internal and external resolution — especially in multi-cluster setups — becomes operationally sensitive. Integrating Kubernetes service discovery with enterprise registries like Consul adds even more layers to troubleshoot.

Future Outlook

By 2019, service mesh adoption starts to move from hype to maturity. Networking teams explore integrations with SDN controllers, DNS providers, and cloud firewalls. More clusters adopt ingress controllers with WAF capabilities, such as NGINX Plus or AWS ALB Ingress. TLS termination and SNI routing become first-class requirements.

Conclusion

Networking in containerized environments demands collaboration between infrastructure, security, and application teams. Kubernetes simplifies much, but operational networking remains a core challenge in delivering resilient, observable, and secure applications. Engineers must understand not only the mechanics of Kubernetes networking, but also how to bridge it with legacy, multi-cloud, and zero-trust architectures.

Wednesday, May 1, 2019

API Management and Integration in Modern Enterprise Architecture

May, 2019 • Reading time: ~7 minuetes

Modern enterprise architecture is evolving rapidly in response to digital transformation, the proliferation of cloud services, and the need for agility in delivering services. At the heart of this evolution lies API management and integration strategy — key enablers of modularity, reusability, and streamlined interconnectivity across systems.

Why API Management Matters in 2019

As organizations adopt microservices and cloud-native patterns, APIs become the glue binding disparate components. APIs expose business logic securely, enabling external consumption, while maintaining policy enforcement, version control, and scalability through robust API gateways. In 2019, IT teams are prioritizing API-first design and management platforms such as Apigee, Kong, and Mulesoft to gain visibility, analytics, and monetization capabilities.

Shift from Integration Middleware to API-Driven Models

Legacy enterprise service buses (ESBs) are no longer agile enough to support today’s distributed, cloud-based services. RESTful APIs, lightweight messaging, and event-based integration are supplanting traditional models. Teams are replacing monolithic middleware with decentralized integration layers built around API catalogs, self-service developer portals, and policy-as-code to ensure consistent governance.

Governance, Security, and Lifecycle Management

Robust API strategies extend beyond development. Security is baked in through OAuth2, rate limiting, and encryption. Lifecycle management tools ensure teams retire obsolete APIs and maintain versioning discipline. Governance frameworks in 2019 emphasize collaboration between architects, developers, and business stakeholders, often with automated approval workflows.

Event-Driven Integration and Microservices

Enterprises embracing event-driven architectures (EDA) are integrating Kafka or other streaming platforms to decouple producers and consumers. This reduces latency, improves scalability, and aligns perfectly with microservices. APIs in these ecosystems act as command and query layers, while events provide observability and traceability. Businesses in finance, logistics, and retail are already experiencing enhanced responsiveness through EDA models.

API Monetization and Internal Developer Enablement

Leading enterprises are treating APIs as products. They onboard consumers through internal or external marketplaces, track usage for chargebacks, and incentivize reuse. In 2019, firms focus on developer experience (DX), using Swagger/OpenAPI specs and SDK generators to accelerate adoption. Onboarding a partner or spinning up new apps takes days instead of months with the right DX practices.

Common Pitfalls and Strategic Considerations

Overexposing systems: APIs should not bypass internal security reviews. Use threat modeling early.
Ignoring observability: APIs should emit metrics, logs, and traces for operations teams.
Lack of reusability: Avoid building tightly coupled, one-off APIs that duplicate functionality.
Not aligning with business: APIs must reflect business domains and SLAs, not just technical convenience.

Looking Ahead

As 2020 approaches, API management becomes more integrated with DevOps and CI/CD pipelines. Teams integrate API tests into build stages, deploy spec changes as part of GitOps, and automate security scans. Enterprises that adopt these practices benefit from faster iteration, fewer outages, and improved digital agility.

Need to align your enterprise architecture with modern API strategies?
Explore best practices in integration and governance with hands-on experience and tailored workshops.

Monday, April 1, 2019

Cloud Cost Optimisation, Governance and Sprawl Control

April, 2019 · Estimated reading time: 9 minutes

The promise of the cloud has always revolved around agility, scalability, and cost savings. However, as organisations scale their cloud usage, they often find themselves grappling with unexpected expenses, sprawl, and fragmented governance. In 2019, as cloud adoption matures, the focus shifts from migration to optimisation.

Understanding the Cloud Cost Challenge

Cloud expenses often creep up silently. Teams spin up resources for development and testing, leave them running, or duplicate workloads for temporary use cases. Without tight governance, organisations lose visibility into where costs accumulate.

In multi-cloud environments, where different teams use different platforms, billing becomes even harder to track. Enterprises that once embraced “lift and shift” find that legacy architecture on cloud infrastructure only increases operating costs.

Cloud Governance Frameworks

Implementing a cloud governance model is essential. This includes defining policies for provisioning, access control, data sovereignty, tagging, and lifecycle management.

Policy enforcement: Enforce guardrails around instance types, regions, and pricing tiers.
Resource tagging: Enable categorisation by department, project, or environment to enable cost reporting and accountability.
Automation: Use scheduled jobs or serverless functions to stop idle resources and scale compute dynamically.

Optimising with FinOps Principles

FinOps—an evolving financial management discipline for cloud—helps bridge the gap between engineering, finance, and business. It promotes collaborative spending decisions with real-time visibility into cost metrics.

In 2019, enterprises adopt FinOps tooling and practices such as:

Rightsizing: Adjusting compute resources to actual workload usage based on monitoring data.
Commitment plans: Leveraging reserved instances or savings plans with AWS, Azure, or Google Cloud for predictable workloads.
Chargebacks: Assigning cloud usage to business units to drive ownership and accountability.

Controlling Sprawl

Cloud sprawl is the unchecked proliferation of services across environments. It introduces risks, complexity, and cost inefficiencies. Preventing it requires cultural and procedural change:

Establish a Cloud Center of Excellence (CCoE).
Adopt infrastructure as code (IaC) to track deployments.
Audit accounts regularly and decommission unused services.

Modern Tooling for Visibility

Leading organisations use third-party cost monitoring platforms such as CloudHealth, Apptio Cloudability, and native tools like AWS Cost Explorer or Azure Cost Management. These offer granular insight into spend trends, anomalies, and optimisation opportunities.

These tools help automate budgeting alerts and anomaly detection—critical in environments where development teams operate independently.

Cloud Cost Reviews as a Practice

Forward-thinking IT teams embed monthly or quarterly cost reviews into their operational rhythm. These reviews look at spend variance, forecast accuracy, optimisation backlog, and tagging coverage. They often include recommendations for remediation and business impact.

By treating cost management as a continuous process, teams evolve beyond reactive cost-cutting and toward proactive planning.

Aligning Governance with Business Goals

It’s not just about saving money—it’s about aligning spend with outcomes. For example, higher cloud spend may be acceptable if it enables faster delivery, uptime guarantees, or customer satisfaction improvements.

Effective governance should therefore embed business context into decisions. FinOps culture encourages conversations around trade-offs between cost and value—making it a strategic advantage, not just an operational task.

Conclusion

Cloud cost optimisation in 2019 demands more than shutting down idle instances. It calls for holistic governance, engineering discipline, cultural alignment, and tooling. With FinOps and modern governance models, businesses can maintain agility while keeping cloud economics under control.

Eduardo Wnorowski is a network infrastructure consultant and Director.
With over 24 years of experience in IT and consulting, he helps organisations maintain stable and secure environments through proactive auditing, optimisation, and strategic guidance.
LinkedIn Profile

Wednesday, March 20, 2019

Microsegmentation Part 1: Foundations of Modern Network Security

March, 2019 - Reading time: 9 minutes

In this deep dive series on microsegmentation, we begin with the foundational principles that support this critical shift in how modern IT environments address east-west traffic, application boundaries, and lateral threat movement. This post sets the stage for the architectural and policy-level practices discussed in Part 2 and 3, scheduled for July and November, respectively.

Why Traditional Perimeter Security Falls Short

Historically, network security has relied on the perimeter-based model. Firewalls, DMZs, and IDS/IPS solutions formed the outer ring of defense. However, with virtualization, hybrid cloud, mobile access, and microservices, the perimeter has eroded. Threat actors exploit lateral movement inside trusted zones, bypassing the very model meant to contain them.

What Is Microsegmentation?

Microsegmentation is the practice of creating secure zones within data centers and cloud environments, down to the level of individual workloads or application tiers. Instead of trusting everything inside the perimeter, policies define how specific resources communicate, often enforced through software-defined networking (SDN), hypervisor firewalls, or host-based agents.

Use Cases Driving Adoption

Data Breach Containment: Prevents lateral movement after an initial breach.
Application Isolation: Segments applications that coexist on the same infrastructure.
Compliance: Helps enforce PCI, HIPAA, GDPR segmentation requirements.
Zero Trust Enablement: Provides granular enforcement aligned with identity and device posture.

Foundational Building Blocks

Effective microsegmentation relies on several pillars:

Visibility: Deep insight into application flows and dependencies.
Policy Framework: A model to translate business intent into technical enforcement.
Enforcement Points: Hypervisor, NIC, OS-level agents, or SDN solutions.
Automation: Dynamic updates to policies based on context or telemetry.

Common Implementation Approaches

Enterprises choose various methods for enforcement:

Host-Based Agents: Offer portability and independence from hypervisors or cloud platforms.
Virtual Switches: Integrate with vSphere or Hyper-V networks to enforce rules in traffic flows.
SDN Controllers: Centralize policy management across distributed workloads.
Cloud-Native Tools: AWS Security Groups, Azure NSGs, and GCP Firewall Rules are gaining traction.

Challenges and Pitfalls

Despite the benefits, microsegmentation is not a silver bullet. Common challenges include:

Visibility Gaps: Incomplete traffic mapping leads to false positives or outages.
Complexity: Managing policies across dynamic environments is non-trivial.
Performance: Inline enforcement at scale may impact latency or throughput.

Looking Ahead

Part 2 of this series will delve into Policy Design and Enforcement strategies. Part 3 will explore Microsegmentation in Hybrid and Multi-Cloud Deployments, covering vendor approaches, real-world deployments, and lessons learned.

👉 Stay tuned for the next part in this microsegmentation deep dive. Explore policy models, enforcement engines, and design patterns that work in the real world.

Friday, March 1, 2019

Network Automation: Scaling Your Infrastructure Strategically

March, 2019 | Reading time: 8 min

In March 2019, network teams face growing pressure to manage ever-larger infrastructures while maintaining agility, uptime, and compliance. As networks span across on-premises, cloud, and hybrid environments, the role of automation becomes essential. Network automation moves beyond the convenience of scripting—it becomes a necessity for scale, accuracy, and rapid deployment.

Why Network Automation Now?

Organizations increasingly operate in real-time digital environments. Manual configuration simply cannot keep up with the speed of demand. Network automation addresses this gap by enabling consistency and repeatability, minimizing configuration errors, and accelerating service delivery.

By automating provisioning, monitoring, and compliance, engineers reclaim time and focus on higher-value activities such as design, performance optimization, and strategic planning. This shift is not about eliminating human roles but about empowering teams to work smarter.

Key Use Cases Driving Automation

Zero-touch provisioning (ZTP): Automatically configures new devices as they come online.
Configuration management: Ensures all devices adhere to golden configurations and compliance baselines.
Automated remediation: Responds to events such as link failure, latency, or policy violation in real time.
Cloud integration: Automates networking components as infrastructure is deployed or scaled in public clouds.

Choosing the Right Tools

The 2019 landscape includes a robust ecosystem of tools designed to support automation across multiple layers. Popular choices include:

Ansible: Widely used for its agentless design and YAML-based playbooks, ideal for network devices and systems alike.
SaltStack: Offers high scalability and robust remote execution features.
Python and Nornir: Offers full programmability for engineers wanting full control with extensibility.
Vendor-specific platforms: Cisco NSO, Juniper Contrail, and Arista CloudVision provide deep integration with their ecosystems.

Tool choice should align with the environment’s diversity and the team’s expertise. Open-source frameworks offer flexibility and cost savings but may require more ramp-up time.

Integrating with Change Management

Automation must coexist with enterprise change control processes. Integration with ITSM platforms like ServiceNow and ticketing workflows ensures visibility and accountability. Teams should build in automated pre-checks, rollback logic, and post-change validations to support safe deployment practices.

Security Considerations

Automation frameworks often require privileged access. Best practices in 2019 include:

Using secure credential vaults (e.g., HashiCorp Vault, CyberArk)
Implementing role-based access control (RBAC) for playbooks and scripts
Auditing changes made by automation tools

Security must be part of the automation strategy from day one.

Scaling the Automation Journey

Start small. A pilot project—like automated backup configuration or interface description syncing—builds credibility and trust. Document success, gather metrics (e.g., time saved, incidents reduced), and expand gradually. Teams should treat playbooks and scripts as production code, following CI/CD principles and version control (e.g., Git).

Looking Ahead

As we progress through 2019, intent-based networking and closed-loop automation gain traction. These approaches elevate automation to the level of business intent, automatically translating goals into device configurations and behaviors. While early in adoption, they hint at the future: a self-operating, self-healing network.

Friday, February 1, 2019

Infrastructure as Code: 2019 Trends, Tools, and Best Practices

February 2019 • 8 min read

Understanding Infrastructure as Code (IaC)

Infrastructure as Code (IaC) becomes increasingly critical in 2019 as enterprises adopt DevOps, multi-cloud strategies, and rapid release cycles. By treating infrastructure configurations as software, IaC enables consistent environments, faster deployments, and improved scalability.

Key Drivers of IaC in 2019

As businesses embrace automation and agility, the need for repeatable, versioned infrastructure becomes a top priority. This year, we see greater adoption driven by:

Multi-cloud and hybrid cloud architectures
Containerized workloads and orchestration platforms (e.g., Kubernetes)
Demand for zero-downtime deployments and rollback capabilities
Auditability and compliance in regulated industries

Popular IaC Tools and Frameworks

The IaC ecosystem continues to evolve. Leading tools in 2019 include:

Terraform: Vendor-agnostic provisioning tool with declarative syntax and strong community support
CloudFormation: AWS-native IaC with tight integration and growing modularity via nested stacks
Ansible: Agentless configuration management that blends well with provisioning
Pulumi: Newer option using general-purpose languages like Python and TypeScript for infrastructure logic

IaC and DevOps Synergy

DevOps teams adopt IaC to accelerate build pipelines and reduce manual provisioning errors. IaC integrates with CI/CD tools like Jenkins, GitLab CI, and Azure DevOps. This synergy creates predictable environments and reinforces the principle of "infrastructure drift prevention."

Best Practices for IaC Adoption

To succeed with IaC in 2019, organizations should follow these principles:

Use version control (e.g., Git) for all infrastructure code
Implement code review workflows and automated testing
Adopt modular templates and parameterization
Leverage policy-as-code (e.g., Sentinel, OPA) to enforce standards
Document architecture and dependencies thoroughly

Challenges to Watch

Despite its advantages, IaC presents challenges such as:

Steep learning curve for non-developers
Security misconfigurations in reusable modules
Complexity of drift detection in large-scale deployments
Tool sprawl and inconsistent adoption across teams

Future Outlook

IaC becomes foundational to cloud-native operations in 2019. Expect to see deeper integration with service meshes, automated remediation using AI/ML, and expansion of IaC to network infrastructure and policy domains. As organizations mature in DevSecOps, IaC will play a central role in maintaining governance and agility.

💡 Tip: Start small with IaC by codifying a single environment or workflow. Version it, test it, and iterate. Expand from there as the team gains confidence and architectural clarity.

Tuesday, January 1, 2019

DNS Flag Day: Impact on Networking and DNS Operations

January 2019 - Reading Time: 10 minutes

What Is DNS Flag Day?

DNS Flag Day 2019 is a community-driven initiative by major DNS providers to drop support for non-compliant DNS implementations that break Extension Mechanisms for DNS (EDNS). It marks a pivotal shift toward better interoperability, simpler DNS software, and reduced operational complexity.

Why It Matters

Historically, DNS resolvers implemented numerous workarounds to accommodate broken authoritative servers that fail to comply with EDNS standards. This bloats resolver code and complicates deployments. DNS Flag Day establishes a cutoff point—after which resolvers no longer apply these workarounds.

How DNS Flag Day Affects Networks

On or after January 1, 2019, resolvers (including those from vendors like Google, Cloudflare, Cisco OpenDNS, and ISC’s BIND) stop sending fallback queries to non-EDNS-compliant servers. If your DNS server fails to respond correctly to EDNS, it becomes unreachable to participating resolvers.

Testing Your DNS

Testing compliance is straightforward using the official DNS Flag Day test tool provided at dnsflagday.net. The test identifies EDNS compliance issues and offers suggestions for resolution. Administrators are encouraged to verify their domains and infrastructure well in advance.

Common Compliance Issues

Firewalls dropping EDNS packets
DNS software improperly handling EDNS options
Responses with truncated flags and incorrect behavior under TCP fallback

Steps for Operators

Network and system operators should audit and upgrade their DNS infrastructure. Recommended actions:

Update DNS server software (e.g., BIND, NSD, Unbound) to recent versions
Check firewall policies for UDP packet size constraints
Perform EDNS compliance tests on authoritative zones

Industry Impact

This initiative reflects an industry-wide shift toward protocol enforcement and clean implementation. It prioritizes correctness over legacy support. While it introduces short-term pain for non-compliant systems, long-term gains include improved DNS stability, cleaner resolver stacks, and increased security.

Looking Forward

DNS Flag Day 2019 represents the beginning of a more aggressive approach to DNS protocol enforcement. Future flag days may focus on other problematic behavior or deprecated configurations. Operators should treat this event as a model for how protocol communities will push modernization.