Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Blog Series Part I: A View of Policy Enforcement Within A Data Center

Hmmm..Yes, we designed it this way

As a relatively new Nuage employee, I was thrilled to have stumbled upon the great finding that VSD supports multilayer compliance enforcement. Very quickly, my esteemed colleagues informed me that ‘Yes, indeed we designed it this way.’

The definition of roles and responsibilities is important for policy enforcement, compliance, and audit. However, the responsibilities for these roles can overlap depending on the enterprise.

Part one of my multi-part blog tries to identify these different roles within a data center. Eventually, the fun part is to tie it back to the actual implementation of policy compliance or enforcement and the flexibility that a policy engine should provide.

The design of the enforcement point or policy engine is important since it needs to model this overlap. Rigidity destroys agility and introduces complexity – and this is contradictory to the way in which newer, next generation, virtualized data centers are meant to operate.

So, who are all these people?

Discussions with various customers and external teams has made it clear that there are several teams that are involved in setting up or enforcing policy for work-loads within the data center. The roles of these team members can vary greatly and the responsibilities can also overlap in many cases.

User Story One

User: Organization administrator

Goal: Create a Policy template for the entire organization


  • Manages all policy for the entire organization such as networking boundaries, ACLs, QoS rules, statistics collection rules
  • Creates users and groups for the each department or tenant, in the case of Cloud Service Provider


User Story Two

User: Network administrator (could be the same as organization administrator)

Goal: Create a network for use by the application developer group


Create an instance of the policy template that was defined by the organization administrator (user story one) above.

The following actions are applicable only if additional policies are required on the instantiation of the template. These are unique to this tenant.

  • Specify additional ACLs between zones and subnets if required
  • Specify additional QoS policies, statistics and analytics rules if applicable
  • Create individual groups and users

User Story Three

User: Security administrator (similar to network administrator but oversees security policy)

Goal: Administrator or manage network policy and groups or users


Create or administer ACL, QoS, Statistics collection policy on the original template or add additional rules to the instantiated policy per tenant.

Create or administer groups, users, and permissions

User Story Four

User: Enterprise IT administrator/Service Chaining administrator has similar permissions as the network administrator

Goal: Create to service chain template that specifies the applications, service insertion points, and service appliances. This provides a template policy for the application developer  who can then instantiate an application that uses this policy.


  • Define policies that specify the interactions of application and services
  • Responsible for creating a services template:

Involves the creation of the applications and services template. Insert application and service appliances (virtual or physical).

  • Specify policies and rules of connectivity between applications.

User Story Five

User: Application developer

Goal: Create virtual machines instances for specific applications


  • Application developer creates a virtual machine for the application using a Cloud Management System (Orchestration)
  • Use the service template determined by the IT operator or administrator above
  • Application developer can define also define new policies for connectivity between applications if needed

In conclusion, it would be smart for a policy engine to support workflows that are flexible to accommodate the above role descriptions. The ultimate goal is for the application developer to have access to services in a service category within minutes or seconds of her request. So, the question is how should a policy engine or enforcement point operate to provide this flexibility, agility, and speed within the data center?

Thanks for reading this post.  Please keep an eye out for the rest of this blog series!

Follow me on Twitter: @shi_sha

Thanks for reading!


The Nuage site uses cookies. By using this site, you are agreeing to our Privacy Policy.