What is the problem?
DevOps have exponentially increased their abilities to deploy applications in a short span of time. However, the bottleneck is the network access space, which is not automated enough to be agile to handle the change demands of a DevOps World.
A typical example is a firewall request, which normally takes 3-5 days to get implemented, and with incorrect inputs from the customer, it takes forever with approvals and whatnot. A DevOps environment can fire up to 1000 firewall requests. Traditional Firewall teams cannot handle that volume without some sort of automation. Firewall Rule Requests are not complex for no reason. The impact that can be caused by an incorrect rule placement can be disastrous. When not cleaned up, firewall rules can result in overload on the firewall and cause a lot of shadow rules to be created, which are unmanageable beyond a point. One of the most common requests is for a server in the dev network needing access to Internet. This is the quintessential problem.
AppViewX is the solution:
AppViewX provides a self-service platform to tackle both enabling and disabling internet access to servers in an organization regardless of the geographical location and manages firewall devices in those locations. This solution also keeps track of the access period and disables the access when the permitted duration is over.
How does AppViewX do it?
Device Inventory: AppViewX maintains a Device Inventory to manage all firewall devices by fetching their configurations, processing them, and storing them in the database. Thereafter, any change on any number of devices can be done from a single pane of view.
Collection: AppViewX maintains two collections to store the mapping of all rules created and with the expected life duration of the rule.
1. Mapping of the firewall location, along with the firewall specific information: Whenever a user requests internet access for a server, a firewall access rule will be created in the firewall of the respective location.
2. An entry for every internet access request that is granted, along with the request details. This helps avoid duplicate requests for the same server and also while disabling access for a server.
AppViewX’s Service Orchestration and Automation Solution
AppViewX, a Service Orchestration and Automation Platform (SOAP), automates this sequence of operations through its Visual Workflow capability. The Visual Workflow in this case starts with a user interface form in which the user fills the details requesting access. The platform then talks to the respective firewall through API to create a rule, makes an entry of the request details in the collection, and sends a notification email to the end-user. AppViewX also revokes the internet access at the end of the requested duration.
Visual Workflow Sequence:
Once the visual workflow is triggered to run, the following actions take place.
- The Internet Access Details form appears, in which the user has to input the server details, duration, and a justification. Requests for multiple servers in multiple locations can be made in a single go by adding them to the table.
- Once the user submits the form, the workflow request then goes to the System Administrator team for approval, which is notified by an email. The system administrator can either approve or reject the request and can modify the access duration requested by the user based on the necessity.
- Once the System Admins submit the form, the Internet Access Allowance Process occurs during which AppViewX talks with the respective location firewall and creates rules on them to allow the server to access the Internet.
- If the implementation process is successful, a notification email is sent to the requestor stating the access details, and a summary pallet is shown at the end that summarizes the status of the internet access request of every single server in case of multiple requests at a time.
- If the implementation goes wrong and fails due to any technical reason, a failure notification email will be sent to the requestor along with the reason for failure.
- Along with the provisioning workflow, a scheduled workflow runs every day at a specified time to check if any access requests expire that day. If it finds any, it talks to the respective firewall and deletes that particular rule, which will eventually disable the internet access.
Thus, an internet access request for multiple servers in multiple locations can be provisioned in a single go, which can get completed in minutes. This automation solution provided by AppViewX reduces the pain point of accessing every firewall manually and creating rules on them, which can even take hours. This greatly reduces the risk posed by creating multiple rules as AppViewX decides the rule placement in an automated fashion and keeps track of the thousands of rules created. It thereby handles the housekeeping effectively since it knows the need is temporary and cleans up the needless rules.
Interested in knowing more about AppViewX’s firewall management? Get a 30-minute live demo from our experts.