Bayware Solution

Application Centricity

Accelerating digital transformation and rapidly changing customer requirements compel enterprises to continuously add and enhance applications. Enterprises are transforming how they develop and deploy applications; leveraging cloud-native principles and microservice architectures to enhance agility, improve time to market, and get lean.

As they modernize, enterprises want to exploit the benefits of multicloud deployments, control communication flows wherever an application runs, and maintain private-cloud levels of security. Doing this is limited by today’s complex networking solutions. Enterprises need an application-centric communication environment that delivers programmability, observability and security; while underlying infrastructure remains general purpose.

Intent Based Networking

Bayware is a connectivity-as-code architecture that gives every application its own secure, overlay network, all in software. This fit-for-purpose solution introduces the programmable service graph where each application service initiates and controls its own programmable communication flows; enabling the long-promised intent-based networking.

Bayware radically simplifies the interface between an application and underlying networks. This accelerates continuous deployment of application services by eliminating constraints imposed by managing network configurations, and securely serves each application’s data communications needs as they change and move across any cloud.

Service Interconnection Fabric

Bayware’s connectivity-as-code approach uniquely enables direct programming of application data flows in software. This service interconnection fabric (SIF) is the first secure, programmable application service graph.

A service graph represents application services as nodes and network connectivities as edges. While the nodes are software by definition, Bayware extends that to the edges with programmable connectivities. As secure, simple-to-program, lightweight communication contracts, these programmable connectivities deploy with application workloads and provides an unprecedented level of control and agility in heterogeneous hybrid and multi-clouds.

Bayware service interconnection fabric is a suite of distributed software components that run on standard x86 Linux machines and operate securely on top of any virtual or physical infrastructure.


Fig. 102 SIF: Programmability, Observability and Security

How Bayware Works

Basic Principles

Bayware created and patented connectivity-as-code architecture with microcode communication contracts. Each is programmable and can be designed and approved by networking and security professionals. Microcode is carried from the workloads in the packet headers, using standard IPv6 header extensions. The execution of the contract by software processors then creates the desired steering of packets through the overlay network.

With Bayware, provisioning of service-to-service communication is easy:

  1. Based on the service graph, program application intent and network policy as microcode communication contracts; simply by adding application labels to the desired flow pattern from a library of contract types.
  2. Deploy lightweight Linux daemons (agents) on workload hosts that retrieve authorized contract roles to insert as highly compact microcode into IPv6 packet extension headers in response to applications.
  3. Provision a fabric of processor software (on Linux x86 machines) in target public and private clouds to securely execute service-to-service connectivity only as authorized by received microcode.

Three-Part Solution

Bayware’s service interconnection fabric is a three-part solution:

  • Bayware introduces new technology that captures connectivity policy based only on data available from an application and produces executable microcode.
  • This executable code is utilized within a new service discovery framework to create network microsegments in accordance with connectivity policy.
  • Bayware implements datapath where packet forwarding decisions are based on the authentication and authorization of application flows over network microsegments.

Fig. 103 Connectivity Policy, Service Discovery, Policy-Based Forwarding

Bayware’s solution, in a nutshell, works in the following steps:

  1. Connectivity Policy. Bayware’s patented technology converts application connectivity policy (step 1a in diagram) into short, executable programs that carry application names, their roles, and rules. The Policy Controller stores these programs and allows service instances to request them (step 1b). As such, connectivity policy is inherently infrastructure-agnostic, multicloud ready, portable, and easily implemented from within application deployment code.
  2. Service Discovery. The Policy Agent, installed on compute resources, requests application connectivity policy from the Policy Controller on behalf of application services (step 2a). The Policy Agent sends the connectivity policy, in the form of executable microcode marked with a policy identifier, into the network in special packets used by the Policy Engines to create packet processing rules (step 2b). In this way, while traditional service discovery simply returns IP addresses to application services, Bayware’s solution additionally establishes end-to-end network microsegments between communicating application services.
  3. Policy-Based Forwarding. When the application service sends data packets, the Policy Agent marks the packets with policy identifiers (step 3a). So as packets arrive, the Policy Engine authenticates and authorizes them over a set of installed processing rules dropping packets that fail and forwarding the others (step 3b). By doing this, Bayware’s solution ensures no connectivity exists between application services that was neither specified in step 1 nor requested in step 2.

Deployment Options

Bayware breaks from Software Defined Networking (SDN) models that push complex reconfigurations into underlying networks, which were not built for continuous change.

Enterprises can run Bayware standalone using the underlying infrastructure of cloud providers’ VPCs. Bayware also runs in concert with application service orchestration systems and SDNs that provision lower layer data center and branch networking.

Bayware reduces acquisition and operation costs by running over the top of brownfield underlay networks, eliminating the need to install and configure any additional specialized networking appliances or controllers. Bayware provides an all-in-one solution for service-to-service communications.

Why Bayware

Bayware brings NetOps and SecOps into the DevOps model of continuous, application-centric deployment. It is all code: enterprises get the same development and deployment agility and the same cloud-scaling benefits for networking functions as they are getting from cloud-native applications.


Fig. 104 DevOps Self-Sufficiency

Bayware has a unique solution for enabling application service to communicate across the diverse hybrid-cloud and multi-cloud infrastructures: (1) enables the network to respond to frequent additions, updates and changes in scale and location; (2) ensures that security and network policy meet compliance and corporate standards.

Today’s solutions do one, or the other well, but not both. Bayware’s pervasive security automatically encrypts flows and is hyper-micro-segmented by default. This improves on security, observability and accountability for network usage rather than requiring compromises as the newest service mesh solutions do.