Scale-Out Cloud Visibility and Security with cPacket cCloud™ Visibility Suite and Microsoft Azure Gateway Load Balancer

As organizations continue to move mission critical workloads in the cloud, ITOps are constantly in a rush and under pressure to deploy visibility services infrastructure which can deliver real-time business insights, network and application performance characterization, user experience monitoring and security forensics while at the same time be able to seamlessly scale with the cloud.

Cloud architectures can get complicated as well – production applications, DevOps environments, monitoring of internal business and application support services all need a comprehensive visibility service as a common denominator. This becomes even more critical for a large and geographically dispersed organization in the cloud. A scale-out approach to hosting critical visibility and analytics services is needed.

Microsoft Azure Gateway Load Balancing (GWLB) and cPacket cCloud Visibility Suite

Together with Microsoft Azure GWLB and cPacket cCloud products customers (ITOps) can now deploy industry leading cloud observability stack to monitoring application and end-user experiences in Azure cloud (watch a quick demo video). The Azure GWLB service brings a lot of simplicity into deployment of these critical ITOps services in the cloud. Previously any insertion of virtual service in the cloud would require complex planning, deployment, and reconfiguration of Azure VNets, User-defined Routes (UDRs), update VNet peering and above all the architecture was still static and did not scale.

Azure GWLB eliminates all these mundane tasks and accelerate ITOps journey to deploy a truly scalable cloud observability stack as a distributed or shared service in Azure cloud. The architecture eliminates invasive changes as visibility infrastructure needs scale up, it also eliminates reconfiguration of Azure VNet constructs like mentioned before, allow easy monitoring of critical points in the cloud for both inbound and outbound traffic to measure KPIs such as TCP flow analytics, path latency, market data feed analytics and gap detection, real-time protocol decodes for performance sensitive workloads in the cloud and above all provides a scale-out environment where cCloud virtual services can transparently scale as capacity needs increase.

Traffic from multiple sources can also point to one Azure GWLB to assure monitoring tools have complete access to packet data from different vantage points in the cloud. Efficient advanced packet broker and capture services allow packet conditioning, network, and application KPI monitoring and aid in complete security forensics analysis. The cCloud Visibility Suite is a set of cloud-native virtual appliances that provide visibility for assuring network-aware application performance and security. In a nutshell:

Use-Cases

Many use-cases are possible as outlined; we demonstrate the first one below:

  • Monitoring connection issues for internet facing cloud services
  • Latency measurement and gap detection for mission critical financial services
  • Identify DDoS attacks on specific services

Solution Overview

In this example the Azure GWLB is configured to load-balance the incoming traffic to the cVu-V from the internet. The cVu-V virtual appliances can be scaled based on performance and traffic mirroring requirements. cVu-V delivers advanced packet broker capability and appropriately replicate or load-balance to one or multiple performance management (cStor-V) and/or security tools. Multiple destinations can be configured simultaneously. Traffic from Azure GLB can also be directly load-balanced on to a fleet of cStor-V as well, depending on the customer needs.

To troubleshoot connection issues, inbound to the Azure public load balancer we use here the cStor-V behind the cVu-V. Multiple traffic feeds from multiple sources either public load balancer IP or Instance Level Public IP can be received by the Azure GWLB over a standard VXLAN tunnel. This architecture allows easy insertion and removal of virtual appliances behind the Azure GWLB service without reconfiguring complex service chains etc.

Furthermore, different network monitors can be configured to identify and troubleshoot different traffic profiles. Connection issues which can be identified are of various types like retransmission errors, SYN errors, connection setup times, RTT etc. cPacket monitors both SYN without SYN-ACKs, where the server fails to respond, and SYN-ACKs without SYNs, which may imply an asymmetric routing issue or a DDoS attempt. cClear-V in the cloud (typically deployed as a shared service for ITOps) delivers a single-pane-of-glass user experience for all analytics and visualizations to troubleshoot any issue effectively. Together, Azure GWLB and cPacket cCloud deliver a scalable full stack observability solution for cloud customers.  

Sample Deployment

This section outlines the Azure CLI commands required to configure the components in the diagram above. For brevity, the full commands are not provided. Contact Microsoft for a set of complete example scripts.

  • Create Azure Public LB instance
az network lb create …
  • Connect application servers to the Public LB address pool (example web apps)
az network lb address-pool address add …
  • Create an Azure GLB instance
az network lb create –sku Gateway …
az network lb address-pool tunnel-interface add … –type external …
az network lb address-pool tunnel-interface add … –type internal …
az network lb probe create …
az network lb rule create  … –protocol all –frontend-port 0 –backend-port 0 …
  • Connect Public Load Balancer Frontend IP to the Azure GWLB Frontend IP
az network lb frontend-ip update … –gateway-lb …
  • Deploy cCloud Visibility Suite in Azure
Follow cPacket procedures for installing and configuring cCloud virtual appliances
  • Assign cCloud Appliances to Azure GWLB address pool
az network nic ip-config address-pool add …

Follow cPacket procedures for using cClear-V to create required dashboards to view traffic analytics or download aggregated packet captures.

For more information, refer to the links below: