Group-Based Policy: Using Intent to Manage Infrastructure

by Mike Cohen

As demands increase for speed, scale, security, agility, and flexibility in cloud environments, a policy driven approach is quickly becoming an important area of development in the open source community. Today’s cloud infrastructure is often overwhelmed by inputs from different teams with differing objectives: developers who want to quickly and easily deploy their applications, infrastructure teams who need to deliver on operational requirements, and business teams looking to impose governance, cost, or compliance constraints.  The end result is a system that muddles what the application owner wants with how the infrastructure actually works.  This lies at the root of many of the problems that make cloud environments hard to build, operate, and scale.

New approaches to policy-driven infrastructure aim to change this status quo by separating user intent from the procedures through which that intent is implemented.  To do this, it’s necessary to introduce a new taxonomy designed to capture the requirements of applications in a way that is separate from the infrastructure behind it.  One such language that is maturing within the open source community is Group-Based Policy (GBP).  While GBP is initially targeted at networking use cases, its approach can be generalized across storage and compute as well.



GBP introduces a number of powerful abstractions that can be used to model application requirements.  The most fundamental of these abstractions is the notion of Groups.  In GBP, a Group represents a set of network endpoints that have the same policy and should be treated the same way.  GBP also introduces Policy Rules Sets, which can be used to connect different Groups without knowledge of infrastructure details such as VLANS, tunnel IDs, etc.   The GBP model also supports a redirect operation that makes it easy to abstract and consume complex network service chains and graphs.


GBP was designed to offer a new way of capturing user intent and offers a number of important advantages over the way infrastructure is configured today.  First and most importantly, it is simple to use without requiring deep knowledge of how infrastructure actually works.  GBP also was designed to make applications faster to deploy and easier to automate.  Since user intent is preserved and kept separate from infrastructure requirements, it can be programmatically rendered in a flexible way in any environment.  GBP also offers separation of concerns between application owners and operators by giving each a mechanism to specify requirements in an abstract manner.  Finally, it offers a self-documenting language that can serve as a record of the underlying user intent of an application before it is implemented as a mix of specific configurations and protocols.

The focus on separating user intent from infrastructure is an important new insight into how cloud environments should be run.  To drive forward this approach, Group-Based Policy is currently being developed for both OpenStack and OpenDaylight by a community of developers including Big Switch Networks, Cisco, HP, IBM, Juniper, Midokura, Nuage, One Convergence, and Red Hat.


To learn more about GBP for OpenStack:


To learn more about GBP for OpenDaylight:


Author: Mike Cohen


Mike Cohen is Director of Product Management at Cisco Systems where he leads a team focused on developing open source policy-based solutions.  Mike began his career as an early engineer on VMware’s hypervisor team and subsequently worked in infrastructure product management on Google and Big Switch Networks.  Mike holds a BSE in Electrical Engineering from Princeton University and an MBA from Harvard Business School.

Author's Bio

Guest Author