Network Virtualization

The server virtualization techniques described in this chapter offer numerous benefits. To achieve the full rewards of virtualization, CMS must also virtualize the network links supporting communications between the virtual and physical servers. This topic describes the virtualization techniques to accomplish that end.

One of the key benefits of network virtualization (NV) is that it provides efficient utilization of network resources through logical segmentation of a single physical network. Logical, secure segmentation helps CMS comply with regulations for resource and information security. CMS’s goal is to reduce total cost of ownership (TCO) by sharing network resources while still maintaining secure separation between distinct network segments either within the Agency (e.g., web, application and data zones) or among business partners.

Overview of Network Virtualization

As a general principle, CMS employs best-of-breed network components. The primary technologies involved in delivering network path isolation and virtualization techniques that helps maintain secure logical network segmentation are:

  • Generic Routing Encapsulation (GRE)

  • Virtual Routing and Forwarding (VRF) Lite (VRF-Lite)

  • Multiprotocol Label Switching (MPLS)

  • Virtual Local Area Network

  • Virtual Device Context (VDC)

  • Virtual Switching Systems (VSS)

These technologies help provide solutions that preserve the benefits of existing network design while introducing the capability of logical segmentation. They help carve the network into secure virtual networks by overlaying Virtual Private Network (VPN) mechanisms onto the existing Wide Area Network (WAN) or Local Area Network (LAN). These path isolation and virtualization techniques can also help address issues associated with deploying network-based services and security policies in a distributed manner.

Business Rules for Network Virtualization

CMS has established the following network virtualization business rules to accomplish consistent implementations of these technologies in accordance with CMS TRA guidance.

BR-NV-1: Use Highly Available Network Services to Implement Zone Separation

Each zone must use highly available (HA) network services to implement and maintain the network separation, security, and performance architecture, as prescribed in the CMS TRA for the specific zone.

Virtualization techniques discussed in this chapter, such as VRF-lite, MPLS, VLAN, or VDC, may also be used for path isolation and virtualization.

The following network services must be independently managed components (as defined in CMS TRA Foundation, Processing Environments):

  • Border routing

  • Network switching

  • Load balancing

  • Intrusion Detection and Prevention

  • Firewalling

These network services cannot be shared with other tenants of the data center.

Rationale:

CMS requires independently managed components to retain operational control and monitoring of the network. The CMS TRA recognizes that underlying technology may be shared, such as in the case of CMS Clouds; however, the configurations, logs, and operational data are CMS sensitive and may not be shared. In addition, CMS must maintain the ability to perform reconfiguration at will without interference with or interference from other tenants.