Identifying network requirements for applications in IBM PureApplication System
Deploying applications in a traditional IT environment can be time consuming and labor intensive because each application requires its own customized infrastructure. For example, data processing applications require high-performing compute systems, whereas web applications typically require high bandwidth networking. Instead of having to worry about timely, manual, and error-prone data center changes, IBM® PureApplication System is designed to help simplify the creation of application infrastructures using its single administration interface. An application's CPU, memory, and storage are allocated dynamically on PureApplication System's resources. In the same way, network settings for applications running on PureApplication System are dynamic and configurable. However, additional planning is recommended (for example, how the network settings will integrate into the existing data center).
To optimize PureApplication System to host many applications, an evaluation of each application's characteristics and network requirements is recommended. To assist in this evaluation, this article details how an application architect can identify and quantify an application's requirements. This article also describes how these requirements impact PureApplication System's and data center's configurations. You need to consider the following questions for each application:
- How much network traffic does my application generate?
- How critical is my application's uptime to the business?
- Are there components of my application that should not be accessible by my users?
- Does my application need to communicate with existing enterprise systems or services hosted outside of PureApplication System?
These questions are addressed by introducing the following concepts – bandwidth, availability, isolation, and connectivity. These concepts are reinforced using a real-world e-commerce application example. At the conclusion of this article, an application architect can use these concepts to clearly communicate their application's requirements to their network and PureApplication System administrators.
Application bandwidth requirements
The first application requirement to consider is bandwidth, which is the amount of network traffic traveling to and from an application. A proper bandwidth estimate is important because an inadequate sizing can negatively affect an application's overall performance. Through the course of normal operations, an application typically communicates with multiple components and services, contributing to the application's bandwidth requirement.
Application communication contributing to the bandwidth requirement may include:
- Application requests (for example, web page requests)
- Database transactions (for example, data queries or updates)
- Messaging protocols (for example, putting a message on the queue)
- Authentication service (for example, LDAP requests)
- API calls (for example, RESTful interface calls)
For each external system an application communicates with, a conservative bandwidth estimate needs to be created to determine the total traffic volume. For example, to estimate an application's request and response bandwidth requirements, you can multiply the application's average page size by the peak number of page views per second. The page size includes the page's content, such as images and other data required to render a page. If the application performs large data transfers, more bandwidth is needed to prevent the network from becoming a performance bottleneck.
Aggregating these bandwidth calculations, the network administrator can determine the total bandwidth requirement for all applications running on PureApplication System. Figure 1 shows how the bandwidth can then be allocated by adding physical network connections between PureApplication System and the data center's network switches.
Figure 1. Bandwidth allocation using multiple network links
When connecting PureApplication System to the data center, applications can be allocated either shared or dedicated bandwidth (see Figure 1). The connections on the left (in blue), illustrate how bandwidth from two 10 Gigabit (Gb) connections (20 Gb in total) can be shared between multiple applications (App #1 and App #2). For applications that have dedicated bandwidth requirements, an administrator can dedicate bandwidth to an application as depicted by the connections on the right (in purple). In this configuration, App #3 has been exclusively assigned a total of four 1 Gb connections, resulting in 4Gb of dedicated bandwidth. Administrators can continue to add to these connections to provide an increase in bandwidth as an application's bandwidth requirement grows. PureApplication System allows an administrator to connect up to 32 – 10 and/or 1 Gb fibre or copper connections – providing up to 320 Gigabits per second (Gbps) of bandwidth for the system's application traffic.
Application architects work to meet their users' and business' performance expectations by properly estimating an application's bandwidth requirement. When all application bandwidth requirements are calculated, the network administrator can allocate the proper number of connections from the data center to PureApplication System.
Application availability requirements
In addition to bandwidth, an application's availability requirements must be understood to ensure the network is integrated with the proper resiliency and redundancy characteristics. Availability requirements translate to the maximum downtime an application's users or the business can tolerate. Consider these two examples: a revenue generating application can only tolerate seconds of downtime per year, and a development/test environment can often be unavailable for hours or days without significant impact to the business.
An application's availability can be affected by many factors, including the application's design, deployment topology, or the underlying network. Focusing on the underlying network, PureApplication System is built with network redundancy throughout the rack to ensure continuous application availability even through maintenance updates. The primary factor in how networking impacts application availability is how PureApplication System's switches are connected to the data center switches. As shown in Figure 2, it is possible to achieve higher application availability by increasing the physical connections carrying an application's traffic.
Figure 2. Adding network links increases availability
At a minimum, PureApplication System requires two physical connections to a single data center switch. This configuration is typically sufficient for development and test environments. Applications requiring higher levels of availability should consider connecting PureApplication System to multiple data center switches, as shown in Figure 3. This configuration helps an application to better tolerate failures by providing multiple paths to PureApplication System.
Figure 3. PureApplication System’s switches cabled for high availability
An application architect must decide if their application's availability requirement can be sufficiently supported through the minimum availability configuration, or if it requires a more complex configuration. This decision is made based on the business' expectations of the application's availability.
Application network isolation requirements
Security is critical for applications, especially if they must comply with industry regulations and corporate security policies. To help meet these requirements (such as the need for preventing system access from outside systems or people), PureApplication System provides network segmentation capabilities to isolate applications and their components. Even though a PureApplication System may host multiple applications, its network isolation technology can be used to help grant the same level of security as if the applications were running on physically separate dedicated hardware. This network isolation can help assure an application owner that their deployed application conforms to the required policies.
PureApplication System offers two options with respect to isolation. Applications as a whole can be isolated in separate environments while leaving internal communication open. For example, this is shown in in Example 1 in Figure 4 – isolating development and test environments. PureApplication System can also provide further isolation by restricting access between an application's components or services (see Example 2 in Figure 4). If isolation is not required, you can configure PureApplication System to permit open communication between applications over the same network.
Figure 4. Two examples of isolation on PureApplication System
At the network level, you can achieve isolation between systems by segmenting them into different networks. Each segmented network is called a network security zone or network zone. You can use network zones to separate different types of environments, such as development and test systems (Example 1 in Figure 4) or to separate application tiers (Example 2 in Figure 4). Additionally, you can use them to classify access domains or traffic patterns, such as standard web requests or secured payment transactions where specific communication is isolated.
To create network zones, PureApplication System uses an industry standard network technology called virtual local area networks (VLANs). Historically, networks were segregated physically by running multiple wires – one for each network. VLANs provide the same type of isolation over a single physical wire. If a data center is already using VLANs to isolate traffic, PureApplication System can leverage those VLANs to help provide isolation to the hosted applications. Alternatively, if an application is currently isolated using physical wires, those wires can be connected to the PureApplication System switches and PureApplication System can extend that isolation internally using VLANs.
Whether grouping by application type, transaction type, or environment type, PureApplication System provides a tool with the ability to create network zones using VLANs to help meet both application and business security requirements.
Application connectivity requirements
The last consideration when developing or migrating an application to PureApplication System is the connectivity to existing enterprise services. These services can include authentication services (for example, IBM Tivoli® Directory Server), or queuing services (for example, IBM WebSphere® MQ Server) that may already be configured and running elsewhere in the data center. These services are considered external because they are not hosted on PureApplication System.
PureApplication System provides connectivity to existing services through patterns. An application architect can take advantage of this feature by specifying the required services' connection information (for example, IP address, port number, and authentication information) in a pattern for their application. When the pattern is deployed, PureApplication System uses the provided information to connect the application to the required services.
If an application needs to interact with external services, the application architect should also speak with a network administrator about this requirement. The network administrator needs to ensure that the application's particular network zone (or VLAN) can communicate with the existing services in the data center.
Demonstrating PureApplication System networking with a sample application
To demonstrate how an application architect can determine their application's requirements, this section evaluates a sample e-commerce application running in a production environment. The approach used is an example. However, you can use the same process for other applications. Figure 5 shows the application's three-tier architecture.
Figure 5. Sample application topology
The sample application topology consists of the following components:
- Web server: This is the system used to distribute requests to one or more application servers. This web server has load balancing capabilities and constitutes the web tier – Tier 1.
- Application server: This is one or more systems used to host the e-commerce application. These servers constitute the application tier – Tier 2.
- Database server: This is the system used to store the application's data. This server constitutes the database tier – Tier 3.
- Existing enterprise services: These are systems or
services hosted outside of PureApplication System:
- Queuing service: A service used by the application to process requests.
- Enterprise LDAP server: An enterprise system for user authentication.
- Enterprise Service bus: An enterprise system used to manage the processing of requests and jobs to backend legacy systems.
The first application characteristic to assess is the application's bandwidth requirements. In this case, the e-commerce application is not data intensive and users will not be uploading large files. The bandwidth calculation is focused only on the application's page responses. The application's main page (which is the largest of all pages) is 800 Kilobytes (KB). The application also has a peak load of 100 users accessing the site at a time. This equates to 80,000 KB or 80 MB of network traffic if all 100 users access the page concurrently. Therefore, a conservative estimate is that this application requires at least 80Mbps of bandwidth.
The e-commerce application in this case is hosted on PureApplication System in a production environment, where the business expects no more than one hour of downtime a month. To help meet this requirement, the network infrastructure connecting PureApplication System to the data center is set up in a highly available configuration. The network administrator ensures that there are redundant switches in the data center connecting to PureApplication System, as shown in Figure 3.
Application isolation requirements
After an application's topology is defined, the process of mapping the application's isolation requirements to network zones begins. In this example, network zones are used to restrict access between the components in each tier. For instance, the database is accessed by the application servers to ensure that end users never have direct access to the data. To enforce this, the database and application servers are in their own isolated network zones with the appropriate interzone rules defined.
One way to determine how many distinct network zones are required is to trace an end user's request. For example when a user logs in, the following steps occur (see Figure 6):
- A request is sent to the web server.
- The request is relayed to one of the application servers.
- The application server receives the request and determines that it needs to authenticate the user.
- The application server sends the request to the LDAP for authentication.
Figure 6. A sample user's authentication request
This procedure shows that the request traces through three distinct systems – the web server, application servers, and the LDAP server. To ensure security, each of these components is isolated in its own network zone. Using this method and applying it to the sample application creates a total of at least three network zones – one for each tier (see Figure 7).
Figure 7. Sample set of network zones
After the network zones have been identified, the network and PureApplication System administrators can use this information to determine how many VLANs are required to support the application's tiers. The network administrator also ensures the appropriate routing rules are defined so that traffic between the specified components can communicate with each other.
Application connectivity requirements
The final application characteristic that must be determined is the connectivity requirements to externally hosted components and services. These existing enterprise services are typically secured in their own network zones and the application must be explicitly granted access. To grant access, a network administrator needs the IP and port information for each existing service. In this example, the following information is provided:
- Queuing service:
- Enterprise LDAP:
- Enterprise Service Bus:
There are four key application characteristics to consider when onboarding an application on PureApplication System. Here's a summary of those from our e-commerce example:
- Bandwidth: A minimum of 80 Mbps
- Availability: One hour of downtime per month, thereby requiring multiple network paths from the data center to PureApplication System
- Isolation: Three separate network zones for each tier of the application
- Connectivity: External connectivity to the existing queuing service, enterprise LDAP, and Enterprise Service Bus
Through analysis, the application architect determined the application's requirements to help him clearly communicate with the network and system administrators to achieve both application and business demands. Figure 8 illustrates the resulting configuration and deployment of the sample application on PureApplication System.
Figure 8. Sample application deployed successfully on PureApplication System
To provide adequate bandwidth and availability, this configuration requires four 1 Gb links connecting to two data center switches. The network has also been segmented securely for each application tier while maintaining connectivity to the three existing services.
In summary, you can use PureApplication System to help provide substantial deployment savings by integrating servers, storage, and network in a single consolidated system. It is designed to host multiple applications, keeping the same level of integrity, security, and performance as if the applications were running on dedicated hardware. To best leverage PureApplication System, an application architect and administrators need to be aware of how an application's network requirements can impact PureApplication System's bandwidth, availability, security, and connectivity configurations as described in this article.
The authors would like to thank the following individuals for their contributions in providing ideas and content and for their reviews of this article: Andrew Hately, Jeff Coveyduc, Susie Holic, Greg Boss, and Mike Law.
- IBM PureApplication System Information Center
- Aligning organizations to achieve integrated system benefits with IBM PureApplication System
- Achieving high availability across multiple sites using IBM PureApplication System
- Achieving high availability during operational maintenance using IBM PureApplication System
- IBM PureSystems resource page on developerWorks