Migration, consolidation, virtualization, data center relocation, and cloudification are examples of large-scale coordinated changes to an organization's information technology (IT) infrastructure. These changes may pertain to servers, services, or applications. As used herein, those and the like tasks are collectively referred to as “IT transformation.” Also, the original IT infrastructure is referred to herein as the source infrastructure or source environment, and the new IT infrastructure is referred to as the target infrastructure or target environment. The source and target IT infrastructures may be physical or virtual, may include the same or different server/device platforms, and may be located in a traditional data center, server rack, or even the cloud. During many such activities, a requirement is that components that were able to communicate in the source environment should also be able to do so in the target environment. For example, it may be required that a set of clients that were previously able to communicate with a server in the source environment should also be able to the same with the migrated server in the target environment.
Some transformation activities may also involve optimization of security and communications. In such scenarios, some communications that were allowed in the source environment may be identified as security holes that need to be eliminated, or no longer necessary in the target environment. Likewise, new applications may be introduced in the target environment, and, as a result, new communications that were not prevalent in the source environment may need to be introduced in the target environment.
Accordingly, in IT transformation activities, the network device infrastructure (which includes routers, firewalls, switches, etc.) may need to be configured such that communication patterns (plus or minus some patterns) in the source environment are represented in the target environment. After the setup of the configurations of the network device infrastructure, checks are performed to ensure that communication patterns that need to be permitted are indeed permitted. Similarly, checks are performed to ensure that communication patterns that need to be blocked are indeed blocked.
In existing approaches, such checks are performed in a manual, ad-hoc, and passive fashion. A commonly used approach involves a trial period after migration and setup of the network device infrastructure in the target environment, but before switching the target environment to production mode. During this trial period (which can last, for example, a few months), migration engineers and/or network administrators wait to hear any complaints from trial users that a certain application is not reachable or not functioning as it was previously. Upon hearing such complaints, the engineers and/or administrators start a manual and time-consuming process of fixing the reported problem. This produces several challenges because it may not be clear which device configuration needs to be updated to fix the problem. Additionally, once the problem is presumed fixed, the trial period may have to be extended, further resulting in costly delays.