A key aspect in data center migration is network security. According to Algosec‘s CTO, Avishai Wool, Moving a physical data center to the cloud, be it hybrid or private, involve the following steps: first, one needs to Select a server in the old data center. Afterwards, Create a clone of the server in the new data center. The third step, wool says, is to “Make all applications that rely on the old server refer to the new copy (This is the step in the process at which the network security team must be involved. In order for business applications to use the newly cloned server, the network security policies on the relevant firewalls and routers must allow the necessary traffic to and from its new IP address).” This will be followed by the fourth and final step – shutting down the old server.
Wool explains that “While these steps seem simple enough, the challenge is that you must perform these actions without disrupting existing services and without unplanned downtime. In fact, in a recent survey Algosec conducted, more than two-thirds of organizations encounter application connectivity disruptions or outages during data center migration projects”.
These kind of disruptions are frequent, since it is hard to determine with applications depend on which server in the physical data center – mainly because each server supports more than one application. Also, Finding out which of the other servers need to communicate with the specific server that is going through migration process, is very tricky.
“The reason for the uncertainty is that in many organizations the record-keeping, indicating which applications depend on which servers, and what traffic flows support each application, is inaccurate, outdated, or simply non-existent”, explains wool.
Enter Firewall Policies: “before any servers were migrated, all the applications were working – so, obviously, all the traffic flows they relied on were, and still are, allowed by some firewall rules.
By using the existing firewall rules, you can migrate a server without any surprises. First you can discover all of the firewall rules that refer to the old server’s IP address”, says wool, adding that the IP address of the cloned server can be added so it can work concurrently, and after that, the fear of blocked traffic is removed and application engineers can reconfigure all of the application’s components. Basically, the use of the firewall policies helps the faster migration of the server.
Wool concludes by an idea that might seem radical, but it is worth thinking about: “Using the firewall policies to guide the data center migration can let the network security team lead the migration process. Even in the most poorly documented data centers, the firewall rules can provide crucial clues to other IT teams as to which applications will be affected by migrating a server, and which groups of servers will benefit from being migrated simultaneously”.