Secure access and delivery of applications on the cloud from the perspective of load balancing

Migrating business to the cloud can help enterprises to digitally transform more rapidly and manage and allocate computing resources more flexibly and efficiently. With the continuous development of cloud computing and the active support of local governments, the number of cloud computing data centers across the country is increasing. Rapid growth like mushrooms. Under this situation, in order to adapt to the deployment requirements of cloud environment products, the transformation of hardware products to software products and the transformation of hardware delivery methods to software delivery methods have become an inevitable trend of business development for manufacturers and enterprise users.

In the process of transformation, the security, applicability and efficiency of cloud application delivery solutions face huge challenges. In addition, enterprise users also have many doubts about the replacement and adaptation of “new and old” solutions. In this issue of “Interview with Niuren”, we interviewed Mr. Gao Chunhua, CTO of Shanghai Hongji Information Technology Co., Ltd., Mr. Gao Chunhua, in view of the above-mentioned series of problems, combined with Hongji Technology’s own development experience, to the problems faced by cloud application delivery solutions in the actual cloud environment. And development problems were analyzed and answered in many aspects. The following is the content of this interview:

Secure access and delivery of applications on the cloud from the perspective of load balancing

Gao Chunhua, CTO of Shanghai Hongji Information Technology Co., Ltd.

1. What challenges are faced by the application delivery of traditional “hardware boxes” in the digital and cloud transformation of enterprises? What are the new requirements for cloud platform application delivery?

Gao Chunhua: Application delivery in traditional IDC centers mostly adopts the method of hardware device deployment. As the place where all sessions flow, the load and traffic are all concentrated on the hardware box. Hardware performance is an important indicator that enterprises pay attention to when selecting models. The delivery processing capacity even needs to reach more than 200Gbps. When the business grows to a certain level, hardware expansion is required. Especially in the digital age, after business cloudification, the main challenges faced by traditional hardware boxes are:

Challenge 1: The business of most developing enterprises is growing elastically, and there is a clear contrast between the high complexity and low timeliness of infrastructure hardware expansion and the demand for system elastic performance due to business growth;

Challenge 2: The cloud environment carries hundreds of thousands of services, connecting users from thousands of industries, requiring multiple proxy servers for support, and no single point of failure is allowed for services. Once a hardware problem causes business transaction interruption or failure, it will affect the The surface is larger than the traditional IDC room. This puts forward higher requirements on the reliability and stability of the hardware, and the simple hot (warm) backup method cannot meet the requirement of no single point of failure in the cloud environment;

Challenge 3: In the cloud environment, cloud workloads have higher requirements for security management. Migrating to the cloud will greatly increase business exposure, face more network attacks and risks, and require more thorough and comprehensive security solutions;

Challenge 4: Higher requirements for management and maintenance. After an enterprise goes to the cloud, business orchestration and automated deployment need to adapt to the different needs of users in thousands of industries, and elastic expansion must be more intelligent and flexible. Therefore, the complexity of management and maintenance is higher than that of traditional IDC computer rooms.

The cloud platform adopts cluster deployment, which integrates all hardware resources into a shared resource pool, and the processing capacity does not depend on the performance of a single machine. The application delivery software is distributed and deployed on different hardware servers. The processing capacity of a single application delivery software is generally about 10Gbps. The hardware resource requirements of the load are divided into zero, which disperses the risk of single-machine deployment, and has higher reliability. There is a situation of “pulling one hair and moving the whole body”.

However, from Hongji’s own experience, although the development of cloud business has become ubiquitous, the current market is still dominated by companies that purchase hardware for delivery, which can account for 80~90% of the share. This may be related to Hongji. Its own market business is mainly related to the financial industry. Financial companies are more cautious about cloud-based business, and the progress is slower than other industries. However, judging from the current development of new infrastructure, this situation should change in the future, but it will take some time.

2. Load balancing has always been the core capability of application delivery. What are the new functions and features of load balancing in the cloud computing environment?

Gao Chunhua: The characteristics of cloud load balancing products are very clear:

1. First of all, after the deep integration of load balancing and cloud, it is more automated and intelligent. Compared with hardware load balancing products, cloud load balancing products support automatic deployment without manual intervention. Users can generate load balancing virtual machines with one click, realize on-demand generation and automatic configuration of load balancing, and automatically perform some business orchestration;

2. Second, cloud load balancing can pool load capacity resources, making it more flexible and flexible to use. The load capacity of traditional hardware load balancing products has a fixed rating, but cloud load balancing can flexibly expand the processing capacity of load balancing in the form of resource pools, and allocate resources on demand according to users’ business processing needs. When the number of concurrent connections of the user reaches the set threshold, the load balancer automatically calls the cloud platform interface, which in turn triggers the back-end service resources. When the number of concurrent connections increases, business nodes are added to share the pressure; when the number of concurrent connections decreases, it is deleted. Recycle redundant business nodes, release resources, and achieve elastic expansion of load capacity.

3. In the cloud computing environment, according to the differences in the cloud platform architecture of different enterprises, does it need to be customized when the cloud application is delivered online?

Gao Chunhua: Different cloud platform architectures use different communication standards, requiring application delivery to be modified and adapted according to their differences. Different cloud platforms have different adaptation content, which requires specific analysis of specific situations. Combined with the actual experience of Hongji Technology’s research and development, the workload of adaptation mainly includes the following three aspects:

1. Kernel and virtual network card adaptation. Taking the financial industry served by Hongji Technology as an example, the financial industry currently mostly uses industry clouds provided by public cloud manufacturers, such as Alibaba, Tencent, etc., which have gradually transformed from public clouds in the early days to industry clouds and are widely used in banking enterprises. . However, the customized kernel delivered by the application may not well match the requirements of the public cloud kernel, and different cloud platforms have different requirements for virtual network cards, which involves kernel updates and network card driver adaptation.

2. Network port adaptation and modification. Different cloud platform architectures open different numbers of interfaces to third-party components. For example, in the early days, Alibaba Cloud only provided one network port, and the service port and management port were shared. Today, cloud platforms can provide multiple network ports. From the requirements of security management, we need to divide them into dedicated management ports, service ports, and heartbeat ports (high-availability ports). However, there are limitations in different usage scenarios. For example, Alibaba Cloud’s heartbeat port only supports unicast but not multicast, and needs to be adapted and modified.

3. Configuration and management of cloud load balancing. A management platform is required to realize the rapid deployment and centralized management of load balancing in the cloud platform, support configuration policy issuance, resource pool management, elastic expansion policy, support rapid connection with the cloud platform through API interface, and quickly connect to the cloud platform through the management platform. Adapt to different cloud architectures, etc.

4. In addition to the above new functions and adaptation to the cloud platform, what other features does the cloud application delivery solution have?

Gao Chunhua: The biggest feature of application delivery is to ensure high service availability. On this basis, it is gradually expanded to form a fast, secure, highly available, visualized, flexible and intelligent solution.

In terms of speed improvement, Hongji’s application delivery solution can also realize functions such as compression, caching, and SSL offloading, which are mainly to improve application access speed and user access experience;

In terms of security, Hongji application delivery itself also provides some security protection functions. However, application delivery security is not as comprehensive as professional security. Application delivery is more about application-oriented security, such as WAF, anti-DDoS, and application access control.

In addition, cloud application delivery also has application visualization capabilities. As we all know, the cloud platform mainly provides infrastructure resources, and basically does not perceive the business in the cloud, but the cloud load balancing can deeply perceive the business traffic in the cloud platform, and help users to visualize the traffic.

Finally, when connecting with the cloud platform, it provides more flexible and intelligent capabilities, that is, the above-mentioned elastic expansion, resource pooling, automatic deployment and business orchestration, etc.

5. What aspects do you think cloud application delivery is mainly reflected in in terms of security management capabilities?

Gao Chunhua: For application delivery manufacturers, security is not the biggest core competitiveness, but Hongji will use load balancing as the hub of business control and scheduling to actively link with third-party security platforms to provide integrated reliability and security for cloud platforms. A total solution for capability integration. Load balancing is inherently a secure proxy device that can sense business traffic. After the business passes through cloud load balancing, the traffic can be transmitted to the third-party security platform by mirroring. For encrypted https traffic, the load balancing can decrypt and mirror it to the security detection system. Once the security system finds a security threat and needs to respond to it, it will The disposal policy will be sent to the MC management and control platform of Hongji, and the load balancer will perform traffic pulling according to the MC policy, such as pulling to the honeypot or traffic cleaning device for further security detection, and will also isolate the traffic with security threats. Forward. This is a third-party integrated security solution made by Hongjie on the cloud with load balancing as the core.

Second, the load balancing itself also has many security capabilities, including its protection functions in anti-application layer attacks, email security, and DNS security. The security of cloud load balancing is more inclined to business and application security.

The above is the security solution for cloud application access and control that Hongji focuses on load balancing itself, and actively cooperates with third-party security vendors to create cloud application access and control.

6. What challenges do you think cloud application delivery poses to the security supervision of cloud workloads?

Gao Chunhua: Based on the actual experience of Hongji Technology’s research and development, first of all, the application of traffic encryption in the industry is becoming more and more frequent, so the security issue of SSL encryption and decryption traffic is the direction that needs to be focused on. There are two ways to encrypt and decrypt business traffic. One is that the server negotiates encryption and decryption directly with the client, and the other is that encryption and decryption are performed on the proxy server or application delivery. The first type of intermediate proxy device does not perform any processing on the traffic and directly transmits it to the server, and the server directly decrypts it. This situation will consume the resources of the server, resulting in problems such as slow access, long delay or even access failure.

Therefore, in many cases, the second method needs to be adopted. First, the proxy server or application delivery device performs SSL offloading through decryption operations, and then transmits it to the server in plaintext. This is also the current mainstream practice.

But at present, there is a problem after the enterprise business is migrated to the cloud. In the private cloud, the business traffic is managed uniformly, the data is checked for security on the proxy server, then decrypted by the encryption and decryption card, and finally transmitted in plaintext. However, on the public cloud, the data of some enterprise users requires confidential transmission and can only be transparently transmitted to the server in the form of ciphertext, which makes it impossible to perform security supervision on all load traffic of the public cloud. Security management of traffic on the cloud is a challenge for application delivery.

7. Under the digital transformation, the cloud market can be expected in the future. What do you think will be the technological development trend of cloud application delivery in the future?

Gao Chunhua: In fact, the development trends of application delivery and cloud applications complement each other. For cloud applications, everyone now uses technologies such as containers, microservices, and cloud native. Now that cloud business has begun to be containerized, application delivery is also trying to link and collaborate with related applications of container technology. At present, Hongji The containerized CC plug-in is used to sense business changes, and then the plug-in notifies application delivery to add and delete some services. There may be some new technological breakthroughs in this area in the future. At the same time, cloud application delivery itself is also trying to use containers. run in a transformed form.

Secondly, in addition to containerization, I think that application delivery will further connect with automated operation and maintenance tools in the future, because for load balancing, it can sense business traffic. After these traffic are connected to automatic operation and maintenance tools through the MC module, it will be more convenient Users can conveniently and flexibly manage their business on the cloud.

Finally, the visualization of cloud traffic is also an important development trend. Although cloud load balancing can realize traffic visualization to a certain extent, the ultimate goal of visualization is to help enterprise users view the distribution, source and response time of cloud services. Performance indicators, so as to help users better maintain and manage services on the cloud.

Safety Cow Review

Digital transformation has accelerated enterprise cloudification. According to relevant research data, 90% of data traffic is flocking to cloud computing centers, and the reliability and security of cloud access has become an important indicator for service providers to ensure service quality.

Cloud application delivery not only plays an important role in session connection, scheduling, and load balancing, but also plays a critical role in secure access to cloud platforms. In 2020, Gartner ranked cloud access security brokers among the top ten security items.

As a representative manufacturer of domestic high-performance application delivery, Hongji Technology continues to explore and innovate in the field of cloud application delivery. It adapts to different cloud platforms and security platforms through MC modules, and builds an integrated linkage mechanism between communication and security systems. The marriage of high-performance communication facilities and mainstream security architecture can be described as a perfect match, providing a more reliable security policy execution point for the traditional security capability empowerment cloud platform, and providing strong support for the implementation of the new security architecture on the cloud platform in the future.

Author: Yoyokuo