east-west traffic
What is east-west traffic?
East-west traffic, in a networking context, is the transfer of data packets from server to server within a data center. The term east-west for this type of traffic comes from network diagram drawings that usually depict local area network (LAN) traffic horizontally. In contrast, north-south traffic describes client-to-server traffic that moves between the data center and a location outside of the data center network. North-south traffic is typically depicted vertically to illustrate traffic that flows above or below the data center.
The volume of east-west traffic has grown as a result of virtualization and data center trends, such as converged infrastructure. Network controllers, virtual machines (VMs) and other devices perform various functions and services that previously ran on physical hardware. As these components relay data to each other, they increase traffic on the network, which can cause latency issues that negatively affect network performance. For example, if hosts on one access switch need to quickly communicate with systems on another access switch, uplinks among the access layer and aggregation layer become congested.
To address these issues, many organizations have migrated from traditional three-layer data center architectures to various forms of leaf-spine architectures. The simplicity of a leaf-spine approach is well-suited to handling higher volumes of east-west traffic. Leaf switches consolidate traffic from users and then connect to the spine, which comprises the network core of servers and storage systems.
How to secure east-west traffic
Visibility into east-west traffic is critical for organizations to determine the best security practices for their networks and data centers. While many organizations focus on securing external traffic that enters their networks, it is increasingly important for them to monitor internal traffic patterns for malware that has infiltrated the network and insider threats.
Microsegmentation can significantly reduce the surface available for malicious activity and lessen the effect of an attack on east-west traffic. If the data center is segmented into logical units, data center administrators can tailor unique security policies and rules for each logical unit. This tightly coupled approach eliminates the tedious, error-prone manual configuration processes that often lead to security flaws after a migration.
SDN and east-west traffic
Software-defined networking (SDN) provides another level of control and management to east-west traffic. Organizations that deploy a software-defined network on a leaf-spine fabric can take advantage of the equal nature of each port and also retain the advantages of security zones, traffic engineering and virtual overlay networks. An SDN controller manages edge policies for each port, and policies can be moved with a workload. This makes the fabric more agile and responsive to business needs, making east-west traffic management more efficient.