Next-generation network management: Event streaming with a service-oriented approach

BlueAlly is a Red Hat Advanced Business Partner focusing on network and cloud automation using Red Hat Ansible Automation Platform. In May of 2023, the BlueAlly Consulting team was invited to the Cisco Federal Innovation Challenge (CFIC) hosted at the GSA Workplace Innovation Lab 1 in Washington, DC.

The goal of the CFIC is to bring together ideas to accelerate modernization across the federal and defense landscape. The focus is NetDevOps, IT modernization, telemetry and visualization.

The team's solution is an extensible architectural framework based on streaming services and Event-Driven Ansible.

Addressing challenges facing network managers

Network managers are often burdened with proving "it's not the network" when applications exhibit poor performance. Increasingly, DevOps principles are fostered in network operations. Among them is the practice that "metrics should be visible" to all stakeholders. 

While commercial software solutions are available to monitor application performance, processing and analyzing logs from routers, firewalls and servers is costly due to the sheer volume of data. We need to rethink our approach to data, particularly in relation to IT operations.

Given the severity of data overload and the need to adopt AIOps, organizations should consider investing in the role of a visibility architect to secure, manage and enable access to the organization's telemetry data.

Networks contain a wealth of information that is beneficial to stakeholders outside network operations. Network management at scale benefits by adopting a service-oriented architecture structural style consisting of small, highly extensible, independent components.

The visibility architect must consider how to design, develop and implement in-house remedies using open source solutions and custom code.

BlueAlly's contribution to the Cisco Federal Innovation Challenge (CFIC)

The BlueAlly Consulting solution highlights how Event-Driven Ansible integrates with an event streaming service (Kafka in Confluent Cloud), a bespoke Python Kafka publisher and a control plane configuration managed by GitHub.

BlueAlly customers are increasingly interested in scaling their network management practices by implementing event streaming services. Kafka is often the preferred choice, as it combines the aspects of a messaging system and a database. Telemetry events are accessible to a wide range of infrastructure management systems and offer the functionality of a replay log for forensic analysis.

Confluent Cloud is utilized as a simple yet robust Kafka implementation enabled in minutes via a web browser to facilitate a rapid prototype.

Event-Driven Ansible

Event-Driven Ansible enables automation scenarios in infrastructure domains, including network, infrastructure, DevOps, security and CloudOps. It is available in Ansible Automation Platform 2.4.

At the core of Event-Driven Ansible is a rulebook (example) enabling "if-this-then-that" operational logic to events triggering the rulebook. Event source plugins are available for receiving events (via a Kafka topic or webhook, for example). These plugins must be implemented using a Python asynchronous I/O (asyncio) library to enable concurrency in the code. 

The rulebook definition specifies the source of the event (by defining the configuration of the event source plugin) and a rules section that specifies the condition(s) and actions. Typically, the action is an Ansible Playbook. Common playbook tasks open or update a ticket in the IT Service Management (ITSM) system, collect additional information from the system, trigger events, or invoke basic commands to remediate the issue.

Kafka publisher agent

The BlueAlly submission examines a security automation use case: Searching for a client machine in a cloud-managed network. To minimize the volume of data, the Kafka publisher logic includes a configurable control plane defining filter criteria for the device metadata before publishing to the Kafka Topic. This filtering logic addresses the problem of overwhelming the consumer with the sheer volume of data to analyze.

The control plane consists of a filter definition stored in a remote GitHub repository (example). The end-user, a Security Operations Center (SOC) analyst, can clone and commit changes to the filter definition using Git. The publishing agent uses the filter to limit the amount of data written to the streaming service.   

Figure 1: Publisher Control Plane

The Python publishing agent is based on a prototype demonstrated at the Programmability and Automation Meetup Introduction to network telemetry using Apache Kafka in Confluent Cloud. This repository is on the Cisco DevNet Code Exchange.

Actionable intelligence

Event-Driven Ansible creates actionable intelligence for the SOC analyst by adding artifacts with the filtered information to a security incident in Splunk SOAR. The extensibility of Ansible Automation Platform is demonstrated through a playbook, rulebook and Ansible Content Collection (https://github.com/netcraftsmen/cfic) that listens for Kafka messages with Event-Driven Ansible, then invokes a playbook and module to update the SOAR ticket.

Wrap up

While commercial Application Performance Managers (APM) and log aggregation and analysis tools are commonly used to visualize and troubleshoot network and application performance, making metrics visible to all is increasingly important to stakeholders. BlueAlly believes that organizations should consider a greater emphasis on the value of network telemetry data by defining the role of the visibility architect. This position focuses on evolving network management to incorporate event streaming with a service-oriented approach. 

With minimal software development effort and solutions like Event-Driven Ansible, organizations can minimize the volume of data to be analyzed by intelligent selection through a dynamic, user-configurable control plane.

For additional information on this or other BlueAlly solutions, reach out by email at contact@blueally.com or the contact page at www.blueally.com/contact.