Arkin Platform to Clarify Complex Network Abstraction Layers

Software-Defined Networking (SDN) provides significant improvements in how network functions are distributed and utilized within the data center by way of overlay abstraction, disaggregation of network services, and de-coupling control plane intelligence from physical kit. Some organizations are doubling down by using converged or hyper-converged infrastructure as the platform for their virtualized environment or private cloud.

The result is turtles all the way down: it is challenging to design, visualize, and troubleshoot these¬†complex data center networking environments. In the past, I’ve used detailed network diagrams and various projects (such as NSX Tier Builder and Tier Viewer) to assist in both day 1 and day 2 operations, along with a¬†Working with NSX series. The downside is that these projects are narrow in scope and ignore the physical underlay and related topology.

Coming out of a Series B funding round, the energetic folks at Arkin have a superb solution with their visibility and operations platform. I was first shown their beta product back at VMworld 2014 US and my eyeballs melted with what I witnessed. Six technology patent submissions and eight months later, Arkin has unveiled the general availability of their new platform.

Put simply, the platform is able to pull telemetry from a variety of physical and network endpoints – such as Cisco UCS and VMware NSX – to build a Google-like search engine for your network. The platform can be deployed on-premises for a completely protected installation. If you prefer SaaS, a proxy appliance will be deployed on-premises to beam data into the cloud. Here’s a high level overview of the Arkin stack and integration points:

arkin-platform

The search engine and related queries can be used for real-time visibility and troubleshooting or pinned for future use and sharing with other IT professionals. The search box automatically fills with suggested items and the correct syntax. A green check mark supplied at the beginning of the query notifies you if the syntax is correct. It took a few minutes to get the hang of the query format, but was not challenging. Searches are remembered, making it simple to return to a recent task.

Search

The pinboard is analogous to a dashboard. Click the pin to board and share button to complete a pin action, or view your pins in the bottom tray. Pins are based on queries, meaning they can be made dynamic based on the search criteria. For example, using the query troubleshoot vm where connected = false as a pin results in different data depending on the state of the network.

Collaboration-SearchPinShare

Security Mapping

This same logic extends into logical groupings: security groups, firewall settings, virtual networks, and overlays. One of the most impressive insights is how security groups and security policies mesh. Arkin tells you if firewall rules were intended for a group of objects but not being utilized due to incorrect rule ordering or prioritization. This is a common issue when wide open any:any or allow rules are matched prior to a deny rule between groups. Being able to visualize the security policies being applied to a virtual machine or security group has real value for virtualization, network, and security personnel, on top of the business unit or auditing teams looking for assurance that their application is properly protected.

microsegmentation

In the example below, the Product security group has been approved to send https traffic to the Business security group. Color coding clarifies traffic flow: tan for indirect rules, blue for outgoing (egress) rules, and green for incoming (ingress) rules. Each slice of the pie chart provides details when the mouse is moved over them and acts as a hot link to the entity represented.

Microsegmentation (1)

Topology Maps

Arkin crafts stunningly beautiful topology maps for VLAN and VXLAN networks in real-time. Below is a visualization of the VXLAN named IT-PRI-1 that exists in a Cisco UCS environment coupled with VMware NSX. All physical and logical entities that are attached to the VXLAN are represented, including the Cisco UCS IO Modules (FEX) and Fabric Interconnects (FIs) shown in the middle of the circle as green boxes. Hovering the mouse cursor over an entity shows the end-to-end traffic path for these items:

  • vSwitch port group
  • VMkernel adapters (vmk)
  • Network adapter (vmnic, pnic)
  • UCS ports (host, fabric, server, and uplink)
converged SDDC visibility

This exercise can be repeated for entities on the network with a different visualization. Below, I’ve captured a short animated GIF showing the traffic path used between two virtual machines. The Arkin platform builds the diagram in real-time and allows for user interaction with any of the objects (switches, routers, firewalls, etc) along the way.

arkin-path

Thoughts

Although I need more stick time with their platform, Arkin has released a must-have product for environments in any stage of the SDN roadmap. The tool adds value for a pure-play traditional network that needs deeper visibility into how virtual machines are communicating in the data center. As SDN and NFV is added, further value is gained with insights into how traffic is traversing through the overlay network and virtualized services such as firewalls, load balancers, routers, and so on.

The sticker price for Arkin’s platform is $750 per hypervisor socket, the same model used by VMware vSphere licenses. There is no charge for connecting physical or virtual network devices into the system, making the licensing model both fair and simple. If you’d like to give their platform a spin, sign up for the demo. For investor and funding information, check out this piece on Forbes by Ben Kepes.