VMware Cloud Foundation’s (VCF) new configuration was eagerly awaited. There have been many questions about what VCF would look like exactly and, more importantly, what it would mean for DevOps customers now that VCF is under the Broadcom umbrella. While there has been a lot of discussion about price increases for some customers following licensing changes and other attributes of VMware honing its product portfolio under Broadcom, we have now seen, during the past few days, releases detailing what VCF now means, what it has to offer and what is planned for the future.
To that end, a lot of care has been taken to accommodate more emerging needs, especially for private cloud ownership involving large, geographically distributed operations across many different sectors. This often includes IoT and edge applications that private cloud is configured for. There is also a simplification in VCF’s portfolio now under Broadcom, which we will detail below.
The company detailed several features, including VCF’s management in line with hyper-convergence and combining storage operations environments under a single umbrella, uniting or “de-siloing” them. This offers many advantages and accounts for much of the hype surrounding VCF.
At the same time, the development of VCF’s offering Continue reading
The biggest challenge in serving digital services across vast, global networks is enabling those services to communicate with each other securely. Securing the endpoints is often not nearly as daunting as securing the routes between them.
If you’ve ever used ngrok to generate an ad hoc secure tunnel so that services and browsers can contact your application even when hosted on localhost, you’ve probably asked yourself whether it would be possible to deliver your production apps and APIs in the same frictionless manner.
If you’re staging an API for testing on your dev team’s network or even your personal laptop, ngrok gives you a way to
By default (and design), Linux is one of the most secure operating systems on the planet. That doesn’t mean, however, that you can or should assume that the out-of-the-box experience gives you all the security you need.
I tend to assume this: If a computer is attached to a network, it’s vulnerable. You should always keep that in mind when considering the security of the desktop or server you are using and you should take any means possible to protect the data within and the data you transmit and receive.
At this point, you’ve probably heard of virtual private networks (VPNs). They’re everywhere. Of course, the VPNs of today aren’t exactly the same as the ones we used years ago. Back in the day, when you needed to connect to your company network (to access various resources), you connected to a VPN, and your local computer was treated as if it was a part of the remote network.
Although those types of VPNs are still in use across the globe, the type of VPN most people talk about today is more about privacy and security.
What Modern VPNs Do
Essentially, a modern VPN hides your IP address and Continue reading
In the most famous line from the classic mockumentary “Spinal Tap,” Nigel Tufnel, the lead guitarist, points to an amplifier and notes the additional number on the dial, saying that it “goes up to 11.”
Alas, “this one goes to eight” does not have quite the same ring, but it might be time to use this phrase to describe a new layer of the traditional networking stack — the semantic layer. The addition of Layer 8 is driven by AI applications and their new exigencies.
The OSI (Open Systems Interconnection) model, a conceptual framework that has guided network design and communication for decades, is facing a new challenge in the age of AI. As AI continues to permeate various aspects of technology, including networking, the traditional seven layers of the OSI model may not be sufficient to capture the full requirements and realities of AI-driven networking.
Layer 8 is my proposed extension to the OSI model that aims to address the unique requirements and capabilities of AI in the context of networking. Unlike the existing layers, which focus on the technical aspects of data transmission, Layer 8 is concerned with the semantic understanding and intelligent processing of the Continue reading
SEATTLE — Blockchain may no longer be at the peak of its hype cycle, but the technology is still sparking innovation, as real-life use cases emerge. Distributed ledgers (DLTs), for instance, which allow for the secure recording and transfer of digital assets without reliance on a centralized authority, have obvious advantages for financial organizations.
DLTs are at the core of an emerging ecosystem built on open source. In this On the Road episode of The New Stack Makers, recorded at Open Source Summit North America, Hedera, and OSSNA keynote talk on DLTs with Alex Williams, founder and publisher of TNS.
For DLTs, Baird said, “We have an open source ledger, the blockchain is open source, you can think of it like an operating system that’s open source. You can run programs on top of it that are open source, you can run programs on top of it that are not open source.”
The layer built on top of all this is also open source. “We had to come up with an algorithm for how they’re going to talk Continue reading
The popularity of open source software continues to soar alongside growth in cloud usage, including multicloud and hybrid cloud infrastructure. Pluralsight’s State of Cloud 2023 report revealed that
Last month viewers from 56 countries tuned in for a very special livestreamed event: The Institute of Electrical and Electronics Engineers reunited 80-year-old a special presentation from the very room where they first wrote the TCP/IP protocol together more than 50 years ago.
“It’s truly an exciting honor to be here to celebrate the 50th anniversary of the work that Bob Kahn and I started, and so many have contributed to,” Cerf said during a Google vice president and their chief internet evangelist. Kahn is now chair and CEO of the not-for-profit
Throughout the development of networking, there has never been an effective way to capture and document the intended state of the network or to use that state to support network operations. Similarly, a go-to source for comprehensive training, guidance, and services on automating your network was unavailable.
In 2014, with the rise of network APIs and DevOps tools being applied to networking, observing those two realities was the core reason for starting Network to Code. For ten years, our mission has been to help individuals and organizations automate their networks in any way we can. It’s why we held the first in-person, five-day network automation training event. This is why I co-wrote “Nautobot from network engineers worldwide, even those in third world countries and organizations with no budget, showcasing our commitment to transform the network industry any way we can.
That’s why, in keeping with Network to Code’s mission, several of us have teamed up to co-author a new book on Nautobot, “
For DevOps and platform teams working with containers and Kubernetes, reducing downtime and improving security posture is crucial. A clear understanding of network topology, service interactions and workload dependencies is required in cloud native applications. This is essential for securing and optimizing your Kubernetes deployment and minimizing response time in the event of failure.
Network observability can highlight gaps in network policies for applications that require network policy controls, thus reducing the risk of attack from unsecured egress access or lateral movement of threats within the Kubernetes cluster. However, visualizing workload communication, service dependencies, and active and inactive network security policies presents significant challenges due to the distributed and dynamic nature of
When updating a critical infrastructure element for application teams takes weeks due to coordination between NetOps, SecOps, PlatformOps and FinOps, you have a problem: ops sprawl.
First was the technology ops team. Then came network operations and security operations. Then, arising from the site reliability engineering (SRE) movement and the goal of pushing more ops decisions into the development environment, came
Cilium is obviously undergoing a lot of changes as a dynamic and popular open source project that heavily utilizes eBPF, but its original reason remains in check: a tool that offers security, observability and networking capabilities. Its capabilities — or hooks — extend from the kernel to throughout the network, including cloud, on-premises or other infrastructures. This definition covers a lot of things, while Cilium should continue to adapt and extend as infrastructure needs change.
@tgraf__ ‘s « Cilium Vision » has a lot of future but the core design remains in place. @thenewstack March 19, 2024
In this article, we look at Thomas Graf, who is CTO of Isovalent, described during his KubeCon + CloudNativeCon Europe talk Continue reading
SEATTLE–By the time he finished his Peace Lee got three (3!) separate rounds of applause from the audience.
The Linux greybeards in attendance were impressed with the program, that he wrote the program himself (over a period of nine years) and that he did so without any help from system libraries.
Logo
Indeed,
Microsegmentation represents a transformative approach to enhancing network security within Kubernetes environments. This technique divides networks into smaller, isolated segments, allowing for granular control over traffic flow and significantly bolstering security posture. At its core, microsegmentation leverages Kubernetes network policies to isolate workloads, applications, namespaces and entire clusters, tailoring security measures to specific organizational needs and compliance requirements.
The Essence of Microsegmentation Strategies
Scalability and Flexibility
The fundamental advantage of microsegmentation through network policies lies in its scalability and flexibility. Kubernetes’ dynamic, label-based selection process facilitates the addition of new segments without compromising existing network infrastructure, enabling organizations to adapt to evolving security landscapes seamlessly.
Labeling the assets is a key to microsegmentation success.
Prevent Lateral Movement of Threats
Workload isolation, a critical component of microsegmentation, emphasizes the importance of securing individual microservices within a namespace or tenant by allowing only required and approved communication. This minimizes the attack surface and prevents unauthorized lateral movement.
Namespace and Tenant Isolation
Namespace isolation further enhances security by segregating applications into unique namespaces, ensuring operational independence and reducing the impact of potential security breaches. Similarly, tenant isolation addresses the needs of multitenant environments by securing shared Kubernetes infrastructure, thus protecting tenants from Continue reading
Istio and Tetrate Enterprise Gateway for Envoy (TEG). This release provides businesses with a modern and secure alternative to traditional Envoy Gateway version 1.0. TEG extends its features by including cross-cluster service discovery and load balancing, OpenID Connect (OIDC), OAuth2, Web Application Firewall (WAF), and rate limiting out of the box along with Federal Information Processing Standard (FIPS) 140-2 compliance.
A standout feature of the Envoy Gateway, and by extension TEG, is its native support for the newly introduced
When most security and platform teams think about implementing zero trust, they tend to focus on the identity and access management layer and, in Kubernetes, on the service mesh. These are fine approaches, but they can cause challenges for constellations of legacy internal apps designed to run with zero exposure to outside connections. One solution to this problem is to leverage the load balancer as the primary implementation component for zero trust architectures covering legacy apps.
True Story: A Large Bank, Load Balancers and Legacy Code
This is a true story: A large bank has thousands of legacy web apps running on dedicated infrastructure. In the past, it could rely on a “hard perimeter defense” for protection with very brittle access control in front of the web app tier. That approach no longer works. Zero trust mandates that even internal applications maintain a stronger security posture. And for the legacy apps to remain useful, they must connect with newer apps and partner APIs. This means exposure to the public internet or broadly inside the data center via East-West traffic — something that these legacy apps were never designed for.
Still, facing government regulatory pressure to enhance security, the bank Continue reading
Web3 represents the next evolutionary step in building web applications. Web3 combines blockchain technology, decentralized protocols and peer-to-peer interactions to give birth to a new standard for transparency and security through decentralized applications (dApps). The dApps rely on decentralized servers instead of traditional (Web2) applications based on a centralized server.
However, this new paradigm presents challenges for logging, tracing — in a Django-based Web3 application using Scout APM.
How Is Observability Different in Decentralized Apps?
Observability in Web3 dApps poses several unique challenges that need to be resolved.
Immutable Transactions
Web3 dApps rely heavily on blockchain technology. Generally speaking, once a blockchain transaction has been confirmed, it cannot be changed, even if there has been a mistake. This makes it extremely important to have close monitoring and observability to detect and prevent issues before data is written to the blockchain.
Distributed Data
Traditional web applications rely on centralized servers while Web3 dApps rely on a globally distributed and decentralized network of nodes. A robust observability solution is therefore required to aggregate and analyze data across this complex network.
Variable Continue reading
Multicluster Kubernetes gets complicated and expensive fast — especially in dynamic environments. Private cloud multicluster solutions need to wrangle a lot of moving parts:
Private or public cloud APIs and compute/network/storage resources (or bare metal management)
Linux and Kubernetes dependencies
Kubernetes deployment
etcd configuration
Load balancer integration
And, potentially other details, too. So they’re fragile — Kubernetes control planes on private clouds tend to become “pets” (and not in a cute way). Multicluster on public clouds, meanwhile, hides some of the complexity issues (at the cost of flexibility) — but presents challenges like cluster proliferation, hard-to-predict costs, and lock-in.
What Are Hosted Control Planes (HCPs)?
Kubecon
Hosted Control Planes (HCPs) route around some (not all) of these challenges while bringing some new challenges. An HCP is a set of Kubernetes manager node components, running in pods on a host Kubernetes cluster. HCPs are less like “pets” and more like “cattle.”
Like other Kubernetes workloads, they’re defined, operated, and updated in code (YAML manifests) — so are repeatable, version-controllable, easy to standardize. But worker nodes, as always, need to live somewhere and networked to control planes, and there are several challenges here.
They gain basic resilience from Kubernetes itself: if Continue reading
There’s been a tension in physics over the last century or so between two theories. Both have proven valuable for predicting the behavior of the universe, as well as for advancing technological engineering, but they seem to make completely incompatible claims about the nature of reality.
I’m referring, of course, to the general theory of relativity and quantum theory. Ordinarily, these two theories tackle very different questions about the universe — one at the largest scale and the other at the smallest — but both theories come together in the study of black holes, points of space from which no information can escape.
There’s a tension in the air at many enterprise organizations today as well between two heuristics for enterprise networking, both of which have produced excellent results for software companies for years. That tension revolves around Kubernetes. As a manager of cloud security and network infrastructure for a large regional bank put it, “Kubernetes ends up being this black hole of networking.”
The analogy is apt. Like black holes, Kubernetes abstracts away much of the information traditionally used to understand and control networks. Like quantum theory, Kubernetes offers a new way to think about your network, but Continue reading
Extended Berkeley Packet Filter, eBPF to its friends, enables you to run sandboxed programs in a privileged context in the Linux kernel. Netflix has unveiled bpftop, a new open source command-line tool designed to enhance the performance optimization and monitoring of eBPF applications.
As the streaming giant continues integrating eBPF technology into its infrastructure, ensuring these applications operate efficiently has become a top priority.
At some point, you’re going to have a Linux server that includes directories that various users, developers, admins, or clients need to access from your network. If you depend on Linux, your best bet for this is Samba.
Samba is the Linux implementation of the