What are Virtual Network Functions (VNF)?
Previously, proprietary hardware performed functions like routers, firewalls, load balancers, etc. In IBM Cloud, we have proprietary hardware like FortiGate firewalls that reside inside IBM Cloud data centers today. These hardware functions are packaged as virtual machine images in a VNF.
VNFs are virtualized network services that are packaged as virtual machines (VMs) on standard hardware. It allows service providers to run their networks on standard servers instead of proprietary ones. Some of the common VNFs include virtualized routers, firewalls, load balancers, WAN optimization, security, and other edge services. In a cloud provider like IBM, the customer can spin these VNF images in a standard virtual server instead of proprietary hardware.
What is Network Functions Virtualization (NFV)?
NFV is a technology that enables network operators to virtualize network functions and services and run them on common hardware. The NFV Orchestrator (NFVO) is responsible for the VNF lifecycle. In NFV, VNFs are instantiated, managed, scaled up or down, and terminated when no longer needed.
How NFV works in IBM Cloud
The NFV solution internally uses the IBM Cloud Schematics service, which is a wrapper over the Infrastructure As Code (IaC) tool, Terraform, to provide resources in the Cloud. Terraform takes care of creating, updating and deleting VNF instances in the cloud. IBM Cloud VNF vendors such as F5, Check Point, and Palo Alto will include their images (qcow2 images) in IBM Cloud. In VPC, these images are available as custom images. Vendors provide a public GitHub repository containing the Terraform code for provisioning their VNF instance in the IBM Cloud. Finally, the VNF vendor will publish its service in the IBM Content Catalog. Whenever a user tries to create a VNF service in the IBM Content Catalog, it will internally create a VNF instance through vendor-provided Terraform code. This is the F5 image that is available in the IBM Cloud Catalog.
IBM Cloud VPC customers want to have a VNF firewall in front of their traffic so that the VNF firewall appliance controls the traffic and filters out any bad traffic. This is to provide security to their VPC clients. Also, VPC users want to install VNF in High Availability (HA) mode. A single VNF can cause downtime when the VNF goes down. In HA mode, if one of the VNFs goes down, then the other VNF will take over. IBM Cloud clients such as BNPP use F5 load balancers.
VNF high availability
There are two types of high availability in VNF:
Active-active mode
In active-active mode, both VNFs are active. There is a load balancer between the two VNFs that connects the traffic. The load balancer will route the traffic in a round-robin fashion to one of the VNFs.
Active-passive mode of operation
In active-passive mode, one of the VNFs is active and the other VNF (in passive mode) will act as a backup in case of an outage. Based on the health check of the active VNF, the active-passive state of the VNFs is changed and the traffic will be switched to the currently active VNF. There is an application that will change ingress or egress routes with the next-hop IP address of the currently active VNF using the VPC Rest API. Currently, FortiGate is the only customer that does this in the IBM Cloud.
Customers prefer active-passive VNF HA because it is more cost-effective compared to active-active VNF HA. Usually in any network device like VNF there are 2 costs:
- No measurement: Device operating cost
- Dosed: Price of data/traffic
In the case of metering, the cost does not differ, whether it is active-passive or active-active. But in the case without measurement, there is a certain difference. The difference is that an idle device will always consume less power compared to an active device due to the following reasons:
- There are 3 interfaces in standby devices: internal, external and HA. However, when it is in standby mode, only its HA interface is used to synchronize data from active devices, while the other 2 interfaces are in idle mode. This is not the case with an active device, where all 3 interfaces are used.
- Due to some minimal tasks performed on the standby device, less resources like CPU and RAM are used and the power consumption and thus the cost of running the standby device will be less compared to the active device.
Active-Active VNF solution in VPC
Please see the “Active/Active HA transparent VNF (single, multi-zone region VPC)” documentation, Use Case 2.
Active-passive solution in VPC
Here is an example application that a VNF vendor such as F5 or Palo Alto can call to change inbound or outbound routes with the next-hop IP address of the currently active VNF using the VPC Rest API. The application has the following features:
- It can be run as an IBM Kubernetes Service (IKS) and VNF HA application based on a code engine that will change VPC custom routes with the next hop as the currently active VNF.
- The application accesses the VPC SDK to change custom routes using a management subnet that is connected to the public gateway.
- The application is private, scalable and highly available.
The figure below illustrates an active-passive HA solution with a Virtual Network Function (VNF) running in IKS or Code Engine.
This link can provide more information on how to install an HA solution in an F5 VNF HA setup. The GitHub repository also has instructions for installing the VNF as standalone and in high availability mode. F5 and Palo Alto VNF have fault detection mechanisms that can be used to run fault scripts. HA application works well in IBM Kubernetes service and IBM Cloud Code Engine. In IBM Cloud, a custom route table is zone-specific, so it cannot be used in a cross-zone VNF HA deployment. The VNFs in the HA should be in the same zone for the HA solution only.
Here is the VPC routing table with the next hop of the currently active VNF:
F5 VNF active-passive HA
The failover script is located under the directory /config/failover/tgactive in the active/passive F5 instance. The failover script calls IKS or the Code Engine application to update the next IP address for all ingress or egress routes in the VPC routing table. The VNF HA setting is private and cannot access the Internet for security reasons; therefore, use the management subnet to access the HA application, as shown below:
curl --interface mgmt http://063af6bc-us-south.lb.appdomain.cloud:8000/f5/failover
You can add a notification to the failover script to send an email to the administrator or operator. The operator can check the problem in the VNF that has crashed and start it.
VNF integration with IBM Event Notification
In the context of a failover script, embedding IBM Cloud Event Notifications with the Custom Email Destination feature provides a valuable tool to improve problem response in a Virtual Network Function (VNF). Here’s how it can work:
- When a VNF goes down or encounters a problem, a failover script can be configured to trigger an automatic notification. This notice can be sent as an email to the designated administrator or operator responsible for managing the VNF.
- The operator, upon receiving the email notification, can immediately investigate the problem with the downed VNF. With timely information at their fingertips, they can take the necessary steps to launch the VNF and effectively resolve the issue.
By using the Custom Email Destination feature in IBM Cloud Event Notifications, companies can extend the capabilities of their failover scripts and improve their incident response procedures. This approach aligns with the broader theme of leveraging technology to optimize operations and improve customer satisfaction, as discussed in the previous example.
- Example of a notification request:
curl -X POST — location — header "Authorization: Bearer iam_token" — header "Content-Type: application/json" "base_url/v1/instances/instance_id/notifications"- Example JSON body for sending notifications to different destinations:
{
"id":"b2198eb8-04b1-48ec-a78c-ee87694dd845",
"time":"06/06/2022, 14:23:01",
"type":"com.ibm.cloud.sysdig-monitor.alert:downtime",
"message_text":"Hi, Welcome from the IBM Cloud - Event Notifications service!",
"source":"apisource/git",
"specversion":"1.0",
"ibmensourceid":"d6f08a53-05f6-465f-903e-03db3fa91b64:api",
"data":
"greet":"Afternoon",
"create_time":"2022-07-06T09:19:45.213429645Z",
"create_timestamp":1657099185,
"issuer":"IBM Cloud VNC",
"issuer_url":"https://cloud.ibm.com/vnc, ""long_description"": ""Success! Your Event Notifications instance is configured with IBM Cloud VNC"", ""payload_type"": ""test"", ""reported_by"": ""id"": ""compliance"", ""title"": ""IBM Cloud VNC"", ""url"": ""https":" , ""severity"": ""LOW"", ""short_description"": ""Success! Your Event Notifications instance is configured with IBM Cloud VNC."", ""transaction_id"": "e539778e-4915-4586-b4c9-48e44af5c010", ""name"": ""IBM Cloud Event Notifications"", ""price"": "100", ""rating"": "4.9" , ""datacontenttype"": ""application/json"", ""ibmendefaultlong"": ""This is a original long message"", ""ibmendefaultshort"": ""IBM Cloud Event Notifications is a routing service that provides information about critical events in your IBM Cloud account"", ""ibmenfcmbody"": "
"\\""notification\":\"title\":\"Hello Pradeep, Your Order summary - Hot Chilli Manchurian ($20) and French Fries ($11) is on its way!\",\"time_to_live\":100",
"ibmenpushto":"\"platforms\":[\"push_chrome\"]",
"ibmenmailto":"[\"[email protected]\"]",
"personalization":
"[email protected]":
"name":"Pradeep"
In summary, integrating IBM Cloud Event Notifications with a custom email destination in failover scripts improves operational efficiency and enables rapid response to VNF issues, reduces downtime and potential service disruptions, ultimately benefiting both the business and its customers by ensuring uninterrupted service. It provides operators with real-time alerts, enabling them to take proactive measures to maintain network stability and reliability. Furthermore, customers have the flexibility to choose from a range of notification options, including PD (PagerDuty), SMS, Slack and more along with customized email notifications, ensuring they receive alerts in a way that best suits their needs and preferences.
For more detailed information on implementing such notifications and using IBM Cloud Event Notifications for VNF integration, you can refer to the provided documentation and sample request.
Palo Alto VNF active-passive HA
The GitHub repository has instructions for installing the VNF as standalone and in high availability mode. Active-passive HA application runs in IBM Kubernetes Service and Code Engine. The image below shows Palo Alto VNF HA running in active-passive mode.
Check Point VNF Active-Active HA
The figure below illustrates an active-active virtual network function (VNF) HA solution working with a network load balancer.
This GitHub repository contains instructions for installing the VNF both standalone and in high availability mode. The HA application works only in active-active mode. The image below shows Check Point VNF HA running in active-active mode.
Here is a screenshot of the active-active state of a cluster of VNFs:
Conclusion
You now have a basic understanding of how VNF works in IBM Cloud. You have also seen various high availability VNF solutions available in VPC. You can install VNF in standalone mode and high availability mode by following the instructions provided in the public GitHub repository found on this blog.
You can find these NFVs in the IBM Cloud Catalog: