How a large investment bank simplified its network security with Consul

Transcript

A large investment bank that's a customer of ours had a specific challenge, and that challenge was: How do we move applications quicker to production? This seems like a pretty easy ask, well, deploy them quicker. But in large investment banks, that's not the easiest thing. Really, many large companies in the Global 2000 don't find this to be very easy, either. It's not because you can't easily deploy an application. We can stand up a Kubernetes cluster and deploy it quickly. We can stand up a Nomad cluster, deploy it quickly. I could SSH onto a server and throw a binary on there and I have an application running.

The challenge is how this application talks to all the other applications that it needs to talk to. As we move from this world of monoliths to microservices, there are more and more applications that are out there that are needing to talk to each other. They talk to each other through the network and that means many different ports and many different firewall rules that need to be established. In the private data center, where you have this castle and moat approach, that's not as big of a deal, but as you move to a cloud or many clouds, the network becomes unbearable.

Managing all these different firewall rules, managing all of these different network constraints—that's where our security really was—became so much of a challenge that it took maybe a month to create an application. But to actually get that in production, it meant that you need to open up all of these different ports. And when you manage all those firewall rules on a spreadsheet, and you model that off of an Excel spreadsheet, it becomes very difficult for you to actually roll that application out.

What this company challenged us with is, "How do we solve this problem?" And we happen to have a tool named Consul that solves this exact problem. It's a service discovery tool where you can register your services into its catalog and use very simple interfaces like DNS or an API to be able to consume where those healthy services are. By leveraging a tool like Consul to not just register the services, but also consume those services, they no longer needed to manage all the complex firewall rules and VIPs (virtual IP addresses) that were used in the past.

So they were actually able to decommission 8,000 firewall rules, over 1,300 VIPs, and with that, we're able to actually move quicker. They were able to be more agile with the different applications that they were rolling out there. They got to get rid of many load balancers that were how they managed service discovery in the past, which is an okay solution, but if you're trying to move quickly, you need to update things dynamically and in a way that applications that go unhealthy are no longer discoverable. So, by leveraging Consul, this company was able to, not just move quicker but also save on a lot of the costs that they were managing through hardware in the past.