A data processing environment comprises a variety of hardware, software, and firmware networking components. A physical network, also called a data plane or an underlay, is a network of physical components where an actual networking operations are performed and computational workloads are executed.
Techniques are available presently to construct a logical network, also known as a software defined network (SDN) overlay (hereinafter interchangeably, “SDN” or “overlay”), from such networking components. Essentially, networking components are abstracted into corresponding logical or virtual representations, and the abstractions are used to define the SDN. An SDN controller is a component that manages and operates the logical networking components within an SDN.
Hereinafter, any reference to a component within the context of an SDN is a reference to a logical representation of the component, which participates in the SDN. As an example, a reference to a switch in communication with an SDN controller is a reference to a logical representation of the switch—which can be a physical or a virtual switch—that operates in the SDN managed by the SDN controller.
A middlebox is a component used in an SDN to transform, inspect, filter, or otherwise manipulates data packets for purposes other than packet forwarding in the SDN. A switch used in an SDN is not a middlebox because the switch performs the packet forwarding function. A firewall used in the SDN is a middlebox because the firewall inspects packets to determine whether or not to allow the packet into or out of a data network. Some other non-exhaustive and non-limiting examples of middleboxes include proxies, intrusion detection systems (IDS), load balancers, network optimizers, address translation components, and many others.
A service chain is a sequence in which middleboxes are expected to operate on data traffic to enforce or implement a policy or rule. For example, a service chain (also interchangeably referred to herein as a policy chain), may include a firewall middlebox, followed by an IDS middlebox, followed by a proxy middlebox. When this example service chain is implemented correctly, the service chain implements an example policy according to which a data packet in the SDN is expected to be first processed by the firewall, then by the IDS, and then by the proxy before reaching a destination in the SDN.