The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Enterprise connectivity is the need of the hour in today’s world as WAN infrastructure, cloud computing, and Software-as-a-Service (SaaS) applications have become an integral part of IT strategy in most organizations. To be agile and resilient, businesses need networks that can grow, evolve, and expand on demand with this ever-changing landscape.
Modern distributed applications create extra challenges to the enterprise connectivity requirements, given their reliance on an efficient network that can bring the different application components together. Often these applications are not only highly distributed but also have strong dependencies on external and remote services. Fortunately, these external dependencies are well defined in modern application infrastructures, such as Kubernetes and service meshes. In this white paper we describe how a modern SD-WAN can automatically consume the information about those external application dependencies in order to deliver the best connectivity experience for the application.
Challenge: Connectivity for applications consuming remote services
With the transition to microservices architectures, traditional applications are being displaced with a new way of building applications. No longer are applications a monolithic entity where all application components are closely packaged. Rather, modern applications are a collection of multiple microservices that communicate with one another. And given the inherently distributed nature of these microservices, it is natural that they communicate not only among themselves but also with external services, which in many cases are offered by a third party.
In the old days of monolithic architectures, when an application would like to consume some capability by a third party, app developers would typically just load a library. In the modern world of microservices and cloud-native architectures, the third-party capabilities are typically consumed by calling remote APIs over the network. This presents an inherent challenge, as the network might then become the bottleneck for the correct operation of the application. As more and more applications are offloading functionality into remote services and consuming capabilities by external third parties, optimizing the network between the local application components and the remote services they might be consuming is critical. This is top of mind for both NetOps and DevOps teams today.
However, while it is theoretically possible for DevOps and NetOps teams to manually coordinate with one another to ensure these optimizations, manual coordination takes a huge toll on the teams because it’s error prone and hard to scale over time. For that reason, solid automation that integrates with the dynamic principles of current application infrastructure is key to addressing this challenge. Automation enables the network to be agile and follow the dynamic application connectivity requirements.
Solution: Cloud OnRamp for SaaS: Kubernetes integration
Fortunately, Cisco SD-WAN’s cloud networking feature – Cloud OnRamp for SaaS – can optimize application connectivity to SaaS services. However, until now, configuration of Cloud OnRamp for SaaS required manual intervention from the NetOps team. This white paper introduces the Cisco SD-WAN Cloud OnRamp for SaaS Kubernetes integration to reduce the work of configuring Cloud OnRamp for SaaS, enabling optimization of traffic between Kubernetes applications and the SaaS they are consuming.
Thanks to this new integration, NetOps teams can be more productive and focus on more relevant tasks, rather than spending their time in repetitive routines such as inputting SaaS configurations to support the applications being deployed in Kubernetes by the DevOps team. In the rest of the white paper, we provide a quick recap of Cloud OnRamp for SaaS and then delve into what makes the Kubernetes integration possible and describe briefly how the integration is enabled via an open-source tool.
Cisco SD-WAN Cloud OnRamp for SaaS
Cloud OnRamp for SaaS uses real-time path-probing data to steer traffic over an optimal path for seamless user-to-SaaS or app-to-SaaS performance. This solution supports top business-critical services such as Webex by Cisco, Microsoft 365, Salesforce, Google Apps, and many more.
Users and apps consuming SaaS via Cisco SD-WAN Cloud OnRamp for SaaS
Cisco SD-WAN Cloud OnRamp for SaaS continuously monitors all possible paths to the SaaS applications by sending probes and then, based on probe latency and loss, selecting the best possible path for routing the traffic, thereby helping ensure fast, efficient, and reliable connectivity (Figure 1). In Cisco vManage (Cisco SD-WAN’s management plane), probe loss and latency values are used to calculate a Quality of Experience (QoE) score, which gives network administrators visibility into network path performance over a period of time, and then use that information for troubleshooting and improving the user experience. More details on Cloud OnRamp for SaaS can be found in this white paper.
This is a solution that, out of the box, supports top business services to provide a seamless user and application experience. In addition, it can also provide best path selection for custom and standard NBAR (Network-Based Application Recognition) applications, allowing enterprises to enable Cloud OnRamp for SaaS capabilities with the SaaS application of their choice. Cloud OnRamp for SaaS Kubernetes integration takes advantage of these capabilities to extract SaaS connectivity requirements from Kubernetes applications and automatically program those into Cloud OnRamp for SaaS.
Kubernetes applications and the SaaS they consume
Kubernetes is the de facto standard application orchestration tool nowadays that most enterprises are using to build modern microservices applications. As such, Kubernetes provides support for the interconnection of these microservices between themselves. Not only that, it also offers ways for application administrators to define the remote services that the local microservices are consuming. One possible way to do so is by leveraging the capabilities that tools such as service meshes offer. A service mesh is an application infrastructure layer that can be deployed on top of Kubernetes and helps in offloading common operations performed by the microservices into this infrastructure layer. Service meshes typically define explicitly the services that are part of the application, both internal and external.
Example of the specification of some SaaS dependencies in an Istio service mesh in Kubernetes and how those can be mapped to Cloud OnRamp for SaaS configuration
Taking the example of the Istio service mesh, it is possible to find out which remote services the DevOps team is defining by looking at service mesh configurations like the one in Figure 2. Notice how the service mesh configuration provides all the relevant information needed to configure the Cloud OnRamp for SaaS operation in the SD-WAN that connects the local Kubernetes app with the remote services it is consuming. Also note that the Istio service mesh is just one example of where this type of configuration can be found; there are other options in Kubernetes to define external service connectivity, both using a service mesh and without using a service mesh. For an enterprise ready Istio platform, please check out Calisti.
Configuration automation via open-source Egress Watcher
To help with this automation and reduce the toil of both NetOps and DevOps teams, Cisco has released an open-source tool that takes care of configuring Cloud OnRamp for SaaS based on information it finds in Kubernetes. This tool is called Egress Watcher and was officially introduced at KubeCon Europe 2022. A talk describing the tool idea to the KubeCon community can be seen in this Cloud Native Computing Foundation Lightning Talk video. This tool is publicly available in GitHub, with both open-source and precompiled packages offered.
Egress Watcher open-source tool for monitoring and converting service definitions in Kubernetes
The Egress Watcher tool works as follows. Once deployed and properly configured, it monitors the Kubernetes cluster looking for definitions of new external services. In addition, it can detect when an existing external service definition has been updated. When deployed, the tool also performs an initial scan of existing external service definitions. Every time it finds a new or updated external service definition, it analyzes the content, looking for the host and port definitions. It converts this information into the right vManage API calls and programs a new Cloud OnRamp for SaaS application (if one was not already defined). For all the details on how to install and use the tool, please refer to the GitHub project.
In this white paper we have introduced the Cisco SD-WAN Cloud OnRamp for SaaS Kubernetes integration, which provides a new way to automatically configure Cloud OnRamp for SaaS based on defined SaaS requirements of Kubernetes applications. This new integration enables easy network optimization tailored for modern distributed applications, reducing possible network bottlenecks. The integration reduces the time and effort required for NetOps teams to enable these optimizations, allowing them to focus on other matters while letting automation take care of trivial configuration tasks.