On-prem storage array management has evolved significantly over the past two decades. However, even new administrative tools and software solutions have failed to make storage arrays easy and simple to manage. This is due to one primary reason: the architecture of storage software. The traditional approach to storage software combines both the I/O path (the “data plane”) and the administrator-facing management layer (the “control plane”) into a single package. Combining the I/O path and the management layer might seem like a good idea in theory, but in reality, it has several drawbacks:
- 75% of the package size might be dedicated to the control plane. This would make software updates 4x larger than required by the data plane alone.
- Control plane code tends to change more frequently than the data plane. The need for frequent updates drives version churn which storage administrators and application owners must manage.
- Enhanced management tools are usually not available until the entire storage OS has been upgraded, which an administrator might be reluctant to do.
- Software release cycles are typically measured in months or more; requested enhancements to the control plane cannot be delivered quickly.
- As versions drift across a large organization, the management experience can diverge depending on which part of the infrastructure is being administered.
The Cloud-Managed Approach
On-prem environments have great strengths: lower cost, enhanced security controls, low application latency, and the potential for high degrees of application customization. These strengths match the requirements of the data plane very well but are less important for the control plane.
With Nebulon Cloud-Defined Storage (CDS), an important design principle for us is the decoupling and separation of the control and data planes. CDS is a cloud-managed, on-premises, server-based storage solution. CDS delivers enterprise data services through the Nebulon Services Processing Unit (SPU), a PCIe card which is controlled and managed through the Nebulon cloud, Nebulon ON.
A cloud-managed design allows Nebulon to release control plane updates on web timescales (e.g. within hours), and to make those updates instantly available across an entire organization.
The Nebulon “Security Triangle”
Before discussing the additional benefits of a cloud-managed approach, let’s pause to address the elephant in the room. Security is the sine qua non of a cloud control plane. In addition to the normal security practices, we have designed a “security triangle” for the Nebulon ON cloud control plane. This system requires commands to reach a Nebulon SPU via the on-prem network before they will be processed, rendering an external attacker unable to control storage inside the enterprise. The security triangle is a complex topic, but in overview:
- An administrator connects to on.nebulon.com from a machine with access to the on-prem network
- The admin initiates an action via the web interface (on.nebulon.com)
- A command is returned from the cloud to the administrator’s browser
- The browser forwards the command to the appropriate Nebulon SPU(s)
- The Nebulon SPU(s) contact the cloud to complete execution of the command
The Nuts and Bolts of Nebulon ON
The preceding example mentions the on.nebulon.com graphical web interface, but administrators need not use it. The web interface is built on top of a public GraphQL API which is available for infrastructure automation. Nebulon provides SDKs which make integration with this API easier for several popular languages, e.g., C#, Go, and Python. The single cloud-based endpoint simplifies enterprise-wide fleet management.
Separating the control plane from the hardware facilitates management operations in other ways. When setting up a new system the control plane is already available; the new hardware need only be connected to the network for discovery and configuration. During OS upgrades the control plane is not disrupted, which means it can manage the upgrade without upgrading itself. Lastly, our role-based access control (RBAC) system allows administrators to delegate scoped rights to other users to perform tasks as needed.
AI-Assisted Administration, API-Driven Automation, Universal Insights
Moving the control plane to the cloud allows Nebulon to leverage global telemetry to enhance the administrative experience. Our VP of Customer Satisfaction, Frank Lucero recently wrote about our Predictive support model, which forecasts developing problems and provides steps to head them off. Nebulon ON, our cloud-based control plane, allows us to, where appropriate, build steps into the control plane itself; an alert can be paired with a dynamic “click here to resolve” action. Global data is also used when configuring an nPod: our control plane eases setup through the use of curated application templates, which automatically configure an nPod given a set of SPUs in application server clusters and an intended workload, and these templates are informed by and evolve in response to the operational data collected by the cloud.
While it wasn’t an obvious choice to put the control plane for an on-prem system in the cloud, we’ve found it instrumental in the delivery of a dynamic and useful self-service administrative experience for Cloud-Defined Storage.