What Is the Azure Virtual Network TAP (vTAP)?
Among the slew of new announcements from Microsoft Ignite 2018 was this: the first native distributed network tap available in any public cloud. The new Microsoft Azure Virtual Network TAP (vTAP) enables organizations to mirror virtual machine traffic and direct it to out-of-band network tools without having to use packet-forwarding agents.
ExtraHop was proud to be a launch partner for this feature. In this post, I'll explain why this is such a huge advance for public cloud capabilities, and how ExtraHop customers can benefit, especially when it comes to enterprise security.
Watching Public Cloud Computing Mature
Over the past decade or more, public cloud providers have progressively added capabilities that match traditional on-premises offerings: first for compute, then storage and database, and more recently for virtual desktop. As the public cloud has matured, organizations have migrated more workloads to the cloud to take advantage of the cost and scalability benefits.
On the networking front, Microsoft has been making rapid advances, building out a robust set of capabilities including virtual network peering. They have also laid the groundwork for more sophisticated SDN functionality with their Azure Accelerated Networking implemented on proprietary SmartNIC hardware, which offloads network processing tasks to programmable FPGAs. Impressively, they see this technology providing a pathway to supporting 100 Gbps for virtual machines in the public cloud.
This has brought us to the current point where organizations can perform operations that would have been infeasible just five years ago, rebuilding entire application stacks at the push of a button, for instance. Yet the ability to mirror network traffic, a fundamentally important piece of performance and security monitoring practices in datacenters, has been notably absent in the public cloud. For the most part, that's left IT and Security professionals examining small packet captures for individual hosts using outdated software tools such as tcpdump and Microsoft Network Monitor … until now.
The new Azure Virtual Network TAP fills a conspicuous gap in public cloud computing functionality, enabling organizations to easily tap into the full scale of communications traversing the network. After all, the ability to mirror packets from the network has been around for as long as optical taps and SPAN ports. As to why this function has taken so long to appear in public cloud environments, I can only speculate that it must be difficult to securely mirror traffic while simultaneously supporting multi-tenancy.
3 Reasons Why the Azure vTAP Is Huge for Cloud Security
There are several reasons everyone from security analysts to CISOs should be excited about the Azure Virtual Network TAP:
- Mirroring the network traffic obviates the need to install packet-forwarding agents on virtual machines, simplifying traffic acquisition for network-based security and performance monitoring, and eliminating processing overhead and network I/O bandwidth consumption on hosts.
From a security point of view, out-of-band monitoring using mirrored traffic is advantageous because it means that attackers cannot turn off or otherwise tamper with the monitoring, as they can with agent-based solutions and logging. They may not even know that they're being watched! Rob Joyce, head of the National Security Agency's hacker unit, put it this way: "One of our worst nightmares is that out-of-band network tap that really is capturing all the data, understanding anomalous behavior that's going on, and someone's paying attention to it."
Microsoft has made this capability available to its ecosystem of third-party vendors, which is great news for customers because it means more competition and innovation. With the vTAP available for third-parties, Microsoft has demonstrated both technical leadership in public cloud computing and a sensitivity to what their enterprise customers are asking for. We hope other public cloud providers follow their lead.
Network packets are the closest you can get to ground truth in IT. As the saying goes, "PCAP or it didn't happen." If you need to prove a performance issue to an application vendor, reverse-engineer a sophisticated network attack, or prosecute an illegal activity, being able to analyze the actual packets is essential.
ExtraHop enables organizations to make the most of their network traffic by extracting wire data in real time and applying machine learning to derive insights, whether for performance monitoring or security analytics. Should customers need packets for forensics purposes, ExtraHop makes it easy to drill down to the precise packets that constitute any particular transaction—a capability that is still needed in the public cloud. Azure Virtual Network TAP makes it much easier to feed network traffic to an ExtraHop appliance.
To sum up, we're incredibly excited to be a launch partner for the Azure Virtual Network TAP. We've already started working with Azure customers to preview the technology and can't wait for general availability in the near future. Kudos to Microsoft for being first to market with virtual network mirroring in the public cloud!
Watch the video below for an overview of how ExtraHop Reveal(x) integrates with the Azure vTAP to provide real-time network traffic analysis in the cloud: