bluebay2014 - Fotolia


A multi-tenant data center offers SDN challenges, benefits

SDN controllers offer segmentation in a multi-tenant data center. Understand how to configure the right network flow to isolate traffic, and explore potential pitfalls of SDN.

Recently, many organizations have seen the benefits of offloading their IT infrastructure to third-party providers. These third-party hosts agree to offer IT services in a transparent manner to the end user, but it's a challenge to keep sensitive data from multiple customers isolated from one another in a multi-tenant data center.

SDN and the multi-tenant data center

Since the typical Multi-tenant data center hosts IT infrastructure for multiple customers and each data center has a finite amount of resources, it's often inefficient to dedicate whole machines to one customer. Instead, one bare-metal machine will most likely host multiple VMs for multiple customers -- a concept known as the multi-tenant network. In the past, it was popular to dedicate one server rack to one application or service and a different server rack for another. Switches and routers in front of the servers handled segmentation via subnetting and virtual LANs. But now, the increasing popularity of software-defined networking (SDN) turns data center architecture on its head.

An SDN controller is logically seated "northbound" of the underlying switching devices, which provides network administrators a vast amount of control over the flow of network traffic by way of 12-tuple header fields:

12-tuple flow
A logically placed SDN controller can provide more control of network traffic via this 12-tuple flow.

Given the 12-tuple, network administrators can configure the SDN controller to route traffic based on any combination of headers with each configuration called a flow. The large amount of possible permutations afforded to the network administrator when configuring flows provides a lot of granularity.

A single customer may have multiple services hosted with a multi-tenant data center. Network administrators can isolate the traffic from other tenants within the same data center by configuring flows based on the ingress port, source port, destination port and any other combination of headers that would refer exclusively to the service hosted by that customer. Consequently, if another tenant within the data center runs a similar service or application, the network administrator can instruct the SDN controller to route traffic based on the same headers but with differing values of said headers. Therefore, each tenant's traffic is successfully isolated from one another without disrupting the network's performance.

Benefits and challenges of SDN

Traditionally, an admin that adds a network device or a new server to a network would need to set aside a significant amount of time for network configuration. Dropping new network devices into a network often had a ripple effect.

But with SDN, the controller can figure out how to integrate a new device into the network. While this is a huge advantage for organizations that attempt to be agile, it can cause problems with visibility. When admins add or remove multiple devices, networking or otherwise, it can be difficult to maintain real-time awareness over the networks, which can lead to significant security issues. For example, it may be easier for hackers to add devices to an SDN-enabled network if there's a lack of proper network monitoring.

Next Steps

SDN and virtualization lead data center modernization charge

Future of data center networking architecture hinges on SDN, machine learning

What's the story of SDN in the data center?

Dig Deeper on SDN and other network strategies