Search

US-12621180-B2 - Fine-grained SD-WAN optimization services for cloud-native applications

US12621180B2US 12621180 B2US12621180 B2US 12621180B2US-12621180-B2

Abstract

In one embodiment, a device of a software-defined wide area network (SD-WAN) receives, from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application. The device translates the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the cloud-native application. The device applies the network policy to a traffic flow in the SD-WAN between an endpoint and a particular microservice of the cloud-native application.

Inventors

  • Sridhar Subramanian
  • Fabio Rodolfo Maino
  • Alberto Rodriguez Natal
  • Vijoy Anand Pandey
  • Edward A. Warnicke
  • John Andrew Joyce
  • Timothy James Swanson
  • Loránd Jakab

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260505
Application Date
20230426

Claims (20)

  1. 1 . A method comprising: receiving, at a device of a software-defined wide area network (SD-WAN) and from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application; identifying, by the device, network requirements for each of the microservices specified in the contextual data for the cloud-native application; translating, by the device and based on the network requirements identified for each of the microservices, the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the microservices, wherein the network policy comprises a plurality of corresponding access policies for each of the microservices; and applying, by the device, an access policy from the plurality of corresponding access policies to a traffic flow in the SD-WAN between an endpoint and particular microservice of the microservices.
  2. 2 . The method as in claim 1 , wherein applying the access policy to the traffic flow comprises: preventing the endpoint from accessing the particular microservice of the cloud-native application.
  3. 3 . The method as in claim 2 , wherein the access policy for the particular microservice specifies a user group to which the endpoint belongs.
  4. 4 . The method as in claim 1 , wherein the contextual data specifies one or more SD-WAN services to be applied to traffic in the SD-WAN associated with the particular microservice.
  5. 5 . The method as in claim 4 , wherein the one or more SD-WAN services comprise at least one of: a path visibility service, a Transport Control Protocol (TCP) optimization service, a Forward Error Control (FEC) service, a packet duplication service, or a firewall service.
  6. 6 . The method as in claim 4 , wherein application of the network policy causes the one or more SD-WAN services specified in the contextual data to be applied to the traffic flow between the endpoint and the particular microservice.
  7. 7 . The method as in claim 1 , wherein receiving the contextual data for the cloud-native application that identifies microservices of the cloud-native application comprises: extracting the contextual data from a Hypertext Transfer Protocol (HTTP) header of traffic sent by the cloud-native application.
  8. 8 . The method as in claim 1 , wherein receiving the contextual data for the cloud-native application that identifies microservices of the cloud-native application comprises: receiving the contextual data via an application programming interface (API).
  9. 9 . The method as in claim 1 , wherein the device is an edge router in the SD-WAN.
  10. 10 . The method as in claim 9 , wherein the edge router extracts the contextual data from data traffic for the cloud-native application.
  11. 11 . An apparatus, comprising: one or more network interfaces to communicate with a software-defined wide area network (SD-WAN); a processor coupled to the one or more network interfaces and configured to execute one or more processes; and a memory configured to store a process that is executable by the processor, the process when executed configured to: receive, from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application; identify network requirements for each of the microservices specified in the contextual data for the cloud-native application; translate, based on the network requirements identified for each of the microservices, the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the microservices, wherein the network policy comprises a plurality of corresponding access policies for each of the microservices; and applying, by the device, an access policy from the plurality of corresponding access policies to a traffic flow in the SD-WAN between an endpoint and particular microservice of the microservices.
  12. 12 . The apparatus as in claim 11 , wherein the apparatus applies the network policy to the traffic flow by: preventing the endpoint from accessing the particular microservice of the cloud-native application.
  13. 13 . The apparatus as in claim 12 , wherein the access policy for the particular microservice specifies a user group to which the endpoint belongs.
  14. 14 . The apparatus as in claim 11 , wherein the contextual data specifies one or more SD-WAN services to be applied to traffic in the SD-WAN associated with the particular microservice.
  15. 15 . The apparatus as in claim 14 , wherein the one or more SD-WAN services comprise at least one of: a path visibility service, a Transport Control Protocol (TCP) optimization service, a Forward Error Control (FEC) service, a packet duplication service, or a firewall service.
  16. 16 . The apparatus as in claim 14 , wherein application of the network policy causes the one or more SD-WAN services specified in the contextual data to be applied to the traffic flow between the endpoint and the particular microservice.
  17. 17 . The apparatus as in claim 11 , wherein the apparatus receives the contextual data for the cloud-native application that identifies microservices of the cloud-native application by: extracting the contextual data from a Hypertext Transfer Protocol (HTTP) header of traffic sent by the cloud-native application.
  18. 18 . The apparatus as in claim 11 , wherein the apparatus receives the contextual data for the cloud-native application that identifies microservices of the cloud-native application by: receiving the contextual data via an application programming interface (API).
  19. 19 . The apparatus as in claim 11 , wherein the apparatus is an edge router in the SD-WAN.
  20. 20 . A tangible, non-transitory, computer-readable medium storing program instructions that cause a device of a software-defined wide area network (SD-WAN) to execute a process comprising: receiving, at the device and from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application; identifying, by the device, network requirements for each of the microservices specified in the contextual data for the cloud-native application; translating, by the device and based on the network requirements identified for each of the microservices, the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the microservices, wherein the network policy comprises a plurality of corresponding access policies for each of the microservices; and applying, by the device, an access policy from the plurality of corresponding access policies to a traffic flow in the SD-WAN between an endpoint and particular microservice of the microservices.

Description

RELATED APPLICATION This application is a continuation of U.S. patent application Ser. No. 16/983,346, filed on Aug. 3, 2020, and claims priority to U.S. Provisional Patent Application No. 62/979,807, filed on Feb. 21, 2020, both entitled “FINE-GRAINED SD-WAN OPTIMIZATION SERVICES FOR CLOUD-NATIVE APPLICATIONS” by Subramanian et al., the contents of which are incorporated by reference herein. TECHNICAL FIELD The present disclosure relates generally to computer networks, and, more particularly, fine-grained software-defined wide area network (SD-WAN) optimization services for cloud-native applications. BACKGROUND Software defined networking (SDN) represents an evolution of computer networks away from a decentralized architecture to one of centralized, software-based control. More specifically, in traditional computer networks, the control plane (e.g., selection of the routing path) and the data plane (e.g., forwarding packets along the selected path) are intertwined, with control plane decisions being made in a decentralized manner via signaling between the networking devices. In contrast, control plane decisions in an SDN-based network architecture are made by a centralized controller and pushed to the networking devices, as needed. For example, a software-defined wide area network (SD-WAN) represents one potential implementation of an SDN that can be used to connect a local client device to a remote, cloud-based application/service. The cloud-native paradigm is shifting the way applications are developed, deployed, and operated. Applications are now decomposed into a collection of microservices that interconnect via Layer 7 (L7) protocols, such as via Hypertext Transfer Protocol (HTTP) or HTTP Secure (e.g. HTTPS), and are deployed leveraging infrastructure components such as container orchestrators (e.g. Kubernetes), service meshes (e.g. Istio), and policy enforcement points (e.g. Envoy). This cloud-native infrastructure is meant to enable policy, telemetry, traffic engineering, etc., to optimize the operation of cloud-native applications. One of the main forces that is driving the evolution of applications into microservices is the increased efficiency in allocating computing resources in both public and hybrid clouds. Containerization, in fact, offers a smaller granularity with which computing resources can be allocated to an application. At the same time, computing resources can be allocated elastically to cloud native applications, scaling horizontally as the demands of the application change over time. This, ultimately, increases the efficiency of resource utilization by the cloud service provider. BRIEF DESCRIPTION OF THE DRAWINGS FIGS. 1A-1B illustrate an example communication network; FIG. 2 illustrates an example network device/node; FIG. 3 illustrates an example of a client device accessing a cloud-native application via a software-defined wide area network (SD-WAN); FIG. 4 illustrates an example architecture for using contextual data for fine-grained network optimization for cloud-native application microservices; FIG. illustrates another example architecture for providing fine-grained access control for cloud-native application microservices; FIG. 6 illustrates an example architecture for passing contextual data to an SD-WAN; and FIG. 7 illustrates an example simplified procedure for translating contextual data for a cloud-native application into a network policy. DESCRIPTION OF EXAMPLE EMBODIMENTS Overview According to one or more embodiments of the disclosure, a device of a software-defined wide area network (SD-WAN) receives, from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application. The device translates the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the cloud-native application. The device applies the network policy to a traffic flow in the SD-WAN between an endpoint and a particular microservice of the cloud-native application. Description A computer network is a geographically distributed collection of nodes interconnected by communication links and segments for transporting data between end nodes, such as personal computers and workstations, or other devices, such as sensors, etc. Many types of networks are available, with the types ranging from local area networks (LANs) to wide area networks (WANs). LANs typically connect the nodes over dedicated private communications links located in the same general physical location, such as a building or campus. WANs, on the other hand, typically connect geographically dispersed nodes over long-distance communications links, such as common carrier telephone lines, optical lightpaths, synchronous optical networks (SONET), or synchronous digital hierarchy (SDH) links, or Powerline Communications (PLC) such as IEEE 61334, IEEE P1901.2, and others. The Internet is an example of a WAN that connects