Digital_banner

ECMWF’s new IT network and security infrastructure in Bologna

Ahmed Benallegue

 

The planned move of ECMWF’s computing capabilities to a new data centre in Bologna, Italy, presents a unique greenfield deployment opportunity: the installation and configuration of a network where none existed before. This happens very rarely in the lifetime of an organisation. It was therefore vital to design a network and security infrastructure that is both innovative and future‐proof whilst ensuring the best possible performance for the benefit of ECMWF’s Member and Co‐operating States and end users. This article describes briefly the new design and outlines the steps that will be taken to ensure a smooth migration from Reading to Bologna.

Key requirements

ECMWF’s current Network and Security (N&S) architecture in Reading is centred on a multi‐layer core with perimeter security design. It is widely acknowledged that this type of architecture can no longer fulfil the requirements of modern data centres. Therefore, it was decided to introduce a new architecture in Bologna which can quickly adapt to ever‐changing configurations, based on the following requirements:

  • Virtualisation and cloud-native technologies: ECMWF already provides services running in private and public clouds. It is therefore crucial to have an infrastructure that enables the use of and protects all services wherever they are hosted.
  • Scalability, reliability and performance: it is essential to ensure that the network provides reliable connectivity with the highest possible bandwidth whilst being able to expand easily and quickly when required.
  • ‘Defence in depth’: the security challenges raised by modern IT environments require a different cybersecurity approach, in which defensive mechanisms are layered in order to protect valuable data and information.
  • Automation and orchestration: the introduction of management tools will simplify the configuration and monitoring of the N&S infrastructure, giving the capability to operate and configure the infrastructure remotely and enable faster deployment and operation of modern dynamic applications.

The new design

The following are the main architectural elements of the new N&S design:

  • ‘IP Fabric’ architecture: this is a state‐of‐the‐art network architecture for medium‐ and large‐scale data centres comprising two layers: leaf switches, to which systems connect, and spine switches, to which leaf switches connect. This architecture minimises delays and bottlenecks whilst offering greater scalability, reliability and performance.
  • Multi-site topology: two physically segregated IP Fabric networks will be deployed in the new data centre: one in each data hall, thus creating two separate fault domains. This will significantly increase the availability of the resulting services as outages and maintenance sessions will impact only one hall at a time.
  • Security layer: the segmentation of the data centre network into different security zones will offer higher control and visibility of data traffic. In addition, new security defence controls will be introduced to improve the operational security and therefore the ability to prevent and react to internal and external threats.

%3Cstrong%3EHigh-level%20overview%20of%20the%20new%20network%20and%20security%20design.%3C/strong%3E%20An%20IP%20Fabric%20network%20and%20its%20associated%20network%20security%20infrastructure%20is%20deployed%20in%20each%20data%20hall.%20The%20two%20networks%20will%20be%20interconnected%20through%20a%20data%20centre%20interconnect%20link.%20To%20cater%20for%20the%20anticipated%20data%20transfer%20from%20Reading%20to%20Bologna,%20100%20Gbps%20site-to-site%20fully%20redundant%20connectivity%20will%20be%20put%20in%20place%20temporarily.
High-level overview of the new network and security design. An IP Fabric network and its associated network security infrastructure is deployed in each data hall. The two networks will be interconnected through a data centre interconnect link. To cater for the anticipated data transfer from Reading to Bologna, 100 Gbps site-to-site fully redundant connectivity will be put in place temporarily.

Progress to date

Following the formal design validation by ECMWF’s Technical Design Authority in October 2018, the various components of the N&S infrastructure have been procured through multiple invitations to tender. A pilot infrastructure, compromising the main components of the N&S infrastructure, was built at the Reading site and was subjected to a comprehensive set of tests. This resulted in the formal acceptance of the IP Fabric infrastructure on 29 November 2019.

What will happen next?

The N&S pilot infrastructure will be moved to the new data centre in Bologna as soon as the site is ready. In the meantime, work has already started with service and application owners to ensure a smooth transition from Reading to Bologna. The suitable N&S design for each service or application will be defined and subjected to validation tests using the pilot infrastructure. If you are interested in learning more, please feel free to contact Ahmed Benallegue, Leader of the Networks and Security Team (ahmed. benallegue@ecmwf.int).