A very common security requirement in a data center is to maintain network path isolation between the traffic of various applications or tenants such that one application or tenant's traffic is isolated from the traffic of other applications or tenants. For example, a financial services company may wish to keep the traffic of its insurance department's applications separate from that of its financial services applications. In the past, this was easily achieved through physical separation of network service devices such as firewalls, load balancers, and identity providers, and network monitoring and logical separation in the switching fabric.
As data center architectures evolve toward multi-tenant virtualized data centers, networking services in the aggregation layer of a data center are getting consolidated. This development has made network path isolation a critical component for network service devices and is driving the requirement for Application Delivery Controllers (ADCs) to be able to isolate traffic at the Layer 4 (L4) to Layer 7 (L7) levels. Furthermore, all the traffic of a particular tenant must go through a firewall before reaching the service layer.