Observability meets intelligence: the convergence of cloud-native monitoring and DPI in Open RAN

Roy Chua, AvidThink portrait

By Roy Chua, AvidThink
Published on: 08.05.2025

A view from the trenches

Walking the exhibition floor at KubeCon EU 2024 in London recently, I couldn't help but notice a striking trend: nearly half the vendors were prominently featuring observability as a core value proposition. This prevalence speaks volumes about the maturation of cloud-native technologies and the growing recognition that visibility (“what”) – and more so, observability (“how” the issue occurred, and “why”) – isn't just a nice-to-have; it's fundamental infrastructure.

As cloud-native principles continue reshaping telecommunications infrastructure, from the 5G service-based architecture (SBA) in the core through the RAN, particularly in Open RAN deployments, we're witnessing the convergence of two key approaches to network visibility: cloud-native observability and Deep Packet Inspection (DPI). I’ll discuss how these complementary technologies can bridge the visibility gap in disaggregated network environments and bring visibility, traceability, and control in Open RAN.

The Open RAN vision and visibility challenge

Open Radio Access Networks (Open RAN) promise flexibility, innovation acceleration, and a diversified vendor ecosystem by disaggregating traditional, monolithic RAN architectures. However, this very openness – replacing black boxes with interconnected, multi-vendor components – introduces operational hurdles. Findings from a recent survey by The Fast Mode and Rohde & Schwarz underscore this, with nearly 69% of vendors citing the presence of multiple vendors as having a significant impact on RAN management complexity, followed closely by the challenge of managing highly modularized functions (44%).

Realizing the full potential of Open RAN requires more than just standardized interfaces; it demands an embrace of cloud-native operational practices. Central to this is robust observability, a practice that moves beyond traditional monitoring to provide deep, actionable insights into these complex systems.

The Open RAN landscape: complexity by design

At its heart, Open RAN decomposes the base station into distinct functional units: the Open Radio Unit (O-RU), the Open Distributed Unit (O-DU), and the Open Centralized Unit (O-CU), connected via open fronthaul and midhaul interfaces (e.g., F1). Orchestration and intelligence are handled by the Service Management and Orchestrator (SMO) and the RAN Intelligent Controller (RIC), the latter split into non-real-time (Non-RT RIC) and near-real-time (Near-RT RIC) components hosting specialized applications (rApps and xApps) communicating via interfaces like A1 and E2.

While elegant in its modularization, this disaggregation creates a complex web of interactions. Functions are delivered as virtualized (VNFs) or containerized (CNFs), potentially running on different hardware, across various locations (cell site, edge cloud, central cloud), and sourced from multiple vendors. This environment renders traditional monitoring tools inadequate – a sentiment echoed by nearly 74% of vendors in the abovementioned survey, who believe conventional RAN analytics tools are insufficient for Open RAN's demands. Visibility into the virtualized layers (VNFs/CNFs) and the underlying cloud infrastructure becomes critical, as highlighted by survey respondents (63% and 45% respectively rating real-time analytics as 'very important' for these layers).

Furthermore, this expanded, multi-vendor, software-defined landscape can expose a broader attack surface. While robust cloud security practices (SBOMs, encryption, RBAC) are essential, ensuring operational security and performance requires deep visibility. Context-aware approaches like Zero-Trust Network Access (ZTNA) are key, yet the survey found a concerning gap: over 77% of MNOs currently lack the sufficient user, device, and application visibility needed for robust ZTNA implementation. Clearly, insights beyond basic network flows are essential.

Navigating observability in a disaggregated world

To manage this complexity, the telecom industry is adopting observability practices honed in the cloud-native domain, typically analyzing Metrics, Events, Logs, and Traces (MELT). However, applying these practices in Open RAN requires acknowledging two distinct contexts:

  1. Intra-Application/Microservice Observability: Within a single cloud-native network function (CNF) composed of multiple microservices, or between tightly coupled CNFs developed by the same vendor (e.g., components within an SMO), standard cloud-native tooling often excels. Service meshes (like Istio/Envoy, Linkerd), distributed tracing libraries (OpenTelemetry), and metric collectors (Prometheus) can be integrated directly into the application code or sidecars, providing detailed visibility into internal calls, latencies, and errors. Here, the operator or vendor often has significant control over the instrumentation.
  2. Inter-Module Observability (Across O-RAN Interfaces): Observing interactions between distinct, potentially multi-vendor Open RAN components communicating over standardized interfaces (like F1, E1, E2, A1) presents a different challenge. Operators may not control the instrumentation points within each vendor's black box. Communication often uses specific protocols (e.g., SCTP-based F1AP/E2AP) where standard service meshes don't readily apply. Effective observability here relies on:
    • Monitoring interface-specific KPIs defined by O-RAN standards (if available and sufficient).
    • Instrumenting API gateways or interface termination points where possible.
    • Analyzing the network traffic flowing over these interfaces. This involves inferring performance from transport-layer behavior (e.g., TCP/TLS handshake times, retransmissions); or, more powerfully, inspecting the traffic itself to understand the relationship between protocols and applications and the impact on performance.

It's in this second context – observing the crucial interactions across standardized, multi-vendor interfaces – where traditional cloud-native instrumentation can fall short, highlighting the need for complementary network-level visibility techniques.

Using DPI on F1-U between CU-UP and DU to extract deeper insights and metadata that can be streamed to IPFIX collectors for comprehensive analysis
Example 1: Using DPI on F1-U between CU-UP and DU to extract deeper insights and metadata that can be streamed to IPFIX collectors for comprehensive analysis

Deep packet inspection (DPI): bridging the inter-module observability gap

While infrastructure metrics and logs provide a baseline, they often lack the application-level context to diagnose issues across the disaggregated RAN, especially over those standardized interfaces. Deep Packet Inspection (DPI) technology emerges as an enabler, providing granular insights by combining state-of-the-art classification methodologies such as statistical and behavior analysis of IP packets without decrypting them to identify the actual applications, services, and protocols in flight.

How does DPI specifically enhance Open RAN observability, particularly for inter-module interactions?

  • Application & Service Context: DPI moves beyond port numbers to accurately identify applications (e.g., distinguishing a VoNR call from Teams video or IoT data) traversing interfaces like F1 or flowing into the UPF. This context is vital for RIC-based optimization (via xApps/rApps) needing to apply policies based on application type or slice requirements. The survey confirms the need, with performance metrics (48% 'very important') and service/protocol/application identification (24%, 22%, 16% 'very important') being critical for intelligent decisions. An xApp managing slice QoE, for instance, can use DPI data to differentiate high-priority URLLC traffic from best-effort flows sharing the same logical slice resources.
  • True Performance Picture: By analyzing application-layer transactions within the traffic crossing interfaces, DPI can derive granular performance indicators (e.g., application-specific latency, video/voice quality metrics like jitter affecting MOS, retransmission rates impacting throughput) that reflect actual user experience more accurately than infrastructure counters alone. This helps pinpoint whether latency issues originate in the transport network, the radio interface, or within a specific RAN function's processing.
  • Rich Metadata for Correlation: DPI engines extract relevant metadata (e.g., subscriber identifiers, device types, application transaction details) that can be exported (e.g., via IPFIX) to enrich logs and traces from other systems. This allows operators to correlate a network-level event (like a latency spike on the F1 interface) with specific application flows or subscriber groups, drastically speeding up root cause analysis.
  • Security Context & Encrypted Traffic Insights: DPI identifies protocols and application behaviors, aiding security tools in detecting anomalies or policy violations crossing inter-module boundaries. Crucially, advanced DPI techniques incorporating machine learning can classify and analyze encrypted traffic patterns (like those using TLS 1.3 or QUIC), providing vital security and performance context even when payload visibility is limited – essential for ZTNA and threat detection across the distributed architecture.

DPI provides the real-time, application-aware data feed needed by intelligent RAN components like xApps and rApps to execute their functions effectively. Traffic management and security applications, highlighted as heavily reliant on real-time analytics (58% flagged this as 'very important'), are prime consumers of DPI's granular classification and performance data. To deliver this value, DPI solutions must be scalable, performant, deployable in cloud-native forms, accurate, and interoperable – matching the demanding requirements identified by vendors for Open RAN deployments.

Conclusion: building trust through comprehensive visibility

Open RAN offers a compelling path towards more flexible and innovative mobile networks. Successfully navigating its inherent complexity, however, demands a sophisticated approach to observability that blends cloud-native instrumentation with network-level traffic intelligence. While standard tools work well within controlled application boundaries, observing the critical interactions across multi-vendor, standardized interfaces requires deeper network insights.

Deep Packet Inspection provides this crucial application-aware context, enriching observability platforms and enabling the intelligent automation promised by the RIC. It helps bridge the visibility gap across disaggregated components, assuring performance and enhancing security. As Open RAN matures and AI/ML-driven optimization becomes central, the need for high-quality, granular data sources like DPI will only intensify. The growing industry adoption signals a recognition that building truly intelligent, automated, and secure open-architecture networks starts with seeing them clearly – from the cloud-native core to the disaggregated edge.

Roy Chua, AvidThink portrait

Roy Chua, AvidThink

Contact me on LinkedIn

Roy, an entrepreneurial executive with 20+ years of IT experience, is the founder of AvidThink, an independent analyst firm covering infrastructure technologies at both carriers and enterprises. AvidThink's clients include Fortune 500 technology firms, early-stage startups, and upstart unicorns. Roy has been quoted by and featured on major publications including WSJ, FierceTelecom/Wireless, The New Stack and Light Reading. Roy is a graduate of MIT Sloan (MBA) and UC Berkeley (BS, MS EECS).

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility