Cloud Connect is a key component of the Cisco hybrid cloud portfolio. In this session, we review how Cloud Connect solutions can securely extend your private network to the AWS Cloud and ensure the application experience. The products we cover include the CSR1000v and vEdge with Umbrella integration.
Cisco Cloud Connect Solutions Extend Your Private Network to AWS and Maintain User Experience
1. Liad Ofek
Director, Product management
Cloud and Virtualization
Networking Business Unit
July 2018
Cisco Hybrid cloud :
Cloud Connect
2. It’s a Hybrid cloud world
Source: IDC CloudView, April, 2017, n=8,293 worldwide respondents, weighted by country, company size and industry
Evaluating or using
public cloud
85%
Taken steps towards a hybrid
cloud strategy
87%
Among cloud users
3. Hybrid cloud Complexity Challenges
“I need to…”
FRAGMENTED
COMPLEX
NO DATA CONTROL
“…securely extend
private networks to
public clouds”
“…define and
execute my cloud
first strategy”
“…protect my cloud
applications, endpoints,
and data”
“…migrate to cloud
and manage the full
application lifecycle”
4. Cloud Adoption Journey-Key Activities
& Pain Points
FRAGMENTED
COMPLEX
NO DATA CONTROL
SaaS
SaaS
SaaS
SaaS
SaaS
SaaS
SaaS
Other
Public
Clouds
IaaS
AWS
PaaS
SaaS
PrivatePrivate
8. Cisco Cloud Portfolio — Implementation
▪ Faster implementation
and time to value
▪ Lower risk
▪ Lower cost
Design and
Deployment GuidesHybrid Cloud
Portfolio
Cloud
Connect
Cloud
Protect
Cloud
Advisory
Cloud
Consume
• Best practices
• Integrated design
• Detailed implementation
steps
9. Cloud Connectivity Challenges
On-Prem Datacenters
Remote Branches
Public Cloud
• Complexity & Dependency – Need a
simple and scalable way to securely
extend the private network across
cloud environments
• Inconsistent security policies between
private & public- Need to apply
consistent security policies
• Performance and ambiguity for best
path to reach the cloud – Need
enhance application experience
Applications
Users
Cloud
Connect
AWS
10. Enterprise DC
ASR1K
Branch
ISR4K
Cloud Connect – CSR 1000V
Securely extend the private
network to the cloud from
the Branch and DC with CSR1000v
Extend routing to multi-VPC
environment with CSR100v in Transit
VPC
Maintain application experience
with QoS and AVC
CSR1000v
CSR1000v
CSR1000v
VPC
VPC
VPC
VPC
VPC
11. Enterprise DC
ASR1K
Branch
Cloud Connect w/vEdge Cloud
vEdge Cloud
vEdgevEdge
Internet
Direct Cloud connectivity from a Branch
with vEdge to vEdge Cloud
Extend routing to multi-VPC environment
with vEdgeTransit VPC
Extend Cisco SD-WAN fabric to the cloud
VPC
VPC
VPC
VPC
VPC
12. Branch Enterprise DC
ASR1K
Cloud Connect - vEdge and Umbrella
vEdge Cloud
vEdgevEdge
Protecting your branch office users directly to
your multi-cloud environment leveraging
direct internet access(DIA), using vEdge and
secure internet gateway (Umbrella)
VPC
VPC
VPC
VPC
VPC
InternetUmbrella
14. CSR Cloud High Availability
• No virtual IP as with HSRP, since AWS
doesn’t allow multicast
• BFD over GRE tunnel is enabled between
two CSRs to detect failure
• AWS Route Tables for app subnets are re-
pointed to surviving CSR
• Failure detection is automatic
• CSR itself calls AWS API to adjust AWS
Route Table routes
• Sub-second failover
VPC
CSR Subnet
App Subnet
A
App Subnet
B
Before HA Failover
After HA Failover
AWS REST API
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws/b_csraws_chapter_0100.html
BFD
14
15. Public Cloud Transit Routing Challenge
• No transit routing capability
A-B Peering
B-C Peering
Transit Routing NOT supported
A-to-C-thru-B
Full mesh
Private DC
…
Backhaul2
See next slide
VPC-A
VPC-C
VPC-B
15
AWS
16. Transit VPC Design
• Dedicated VPC: Simplifies routing by not
combining with other shared services.
• CSR1000v Virtual Network Appliances:
Provide dynamic routing and VPN network
tunnels
• Redundancy: Dynamic routing combined
with multi-AZ deployment creates a robust
network infrastructure.
• VGW: VPC virtual gateways provide highly
available connections to transit VPC virtual
network appliances.
BA C
…...
Direct Connect
Or Internet
Private DC
Transit VPC
Spoke VPC
Other
Provider
Networks
CSR1 CSR2
AZ1 AZ2
Across regions, accounts/subscriptions
ASR
VPCVPCVPC
VPC
17. Scale Out
Private DC
Transit VPC
DX/ER
Internet
ASR
VPC
CSR1 CSR2 CSR3 CSR4
…...
• Add another pair of CSRs to scale
out
• Remote end (VGW) has multiple
tunnels and do L3 ECMP (Equal Cost
Multiple Path)
• Elasticity as you go: monitor CSR
real-time throughput and spin up
new CSRs on demand.
18. Traffic Segregation
• Traffic segregation is built-in natively
• Each Spoke VPC is represented as a
different VRF in CSR
• Routing is controlled through RT
(Route Target)
• Different VPCs can communicate by
export/import same RT
• Follow same mechanism to create
customized VRF like on-premise VRF
CSR1
MP-BGP
On-Premise VRF
CSR2
VPC-A VPC-B VPC-C
Private DC
VPC-C VRFVPC-B VRFVPC-A VRF
19. Data Center
Transit VPC
AZ1 AZ2
App 1
(VPC1)
App 2
(VPC2) App 3 (VPC3) Internet
Employee
Developer
Guest
Non-Compliant
✓ X ✓ ✓
X X ✓ ✓
X ✓ ✓ ✓
VPC1
Extend Trust Sec into AWS Transit VPC
Simplifying Segmentation and Control
Direct Connect
Dynamic Route Peering
Employee Tag
Developer Tag
Guest Tag
Non-Compliant Tag
X X ✓ ✓
ISE
Identity & Access Control
Policy Enforcement
App 1
VPC2
App 2
VPC3
App 3
Control Access to spoke VPC’s
based on SGT Tags and Policy
Enforcement within the Transit VPC
Hub CSRv’s
• Control Traffic between VPC’s
• Simplify Security Configurations
• Scale Security Group Control
• Single Control Point
dev pro test
ASR1K
CSR1 CSR2
20. Prioritize Your Traffic with QoS Policy
• AWS Infrastructure doesn’t acknowledge QoS value, however you can use it over Tunnel
• Based on transport type (Direct Connect, VPC Peering, Public IP), shape different traffic to ensure
app experience when link get over-subscribed
Cisco
ISR/ASR
Corporate DC
Co-Lo
Direct Connect
QoS
IPSEC Tunnel
21. Integrated Security Features on CSR
ACL VRF
Zone Based
Firewall
IPSEC
Trust Sec
Encrypted
Traffic
Analytics (ETA)Transit Hub
VPC
Integrated Security
• Low TCO by enabling security services
• Built-in high availability with routing
• Single device to manage routing and security
CSR1 CSR2
21
22. Cloud Security with Cisco Umbrella
Regional
Data Center
Remote Site
ISP1
SD-WAN
Fabric
DNS Queries
Data Center
DIA
• vEdge router intercepts client DNS queries
- Deep Packet Inspection
• DNS queries are forwarded to Cisco Umbrella
DNS servers based on the data or application
aware routing policies centrally defined on
vManage
- Target DNS servers list is defined under the
service side VPN
- Policy can pin DNS query for specific application
(DPI based) to specific DNS server from the list
• Cisco Umbrella enforces security policy compliance
based on DNS resolution
23. Two deployment models
VPC
Application VPC Gateway
• CSR deployed in application VPC
• Provide IPSEC gateway for entire VPC
• Need high availability
Transit Hub Router
• CSR deployed in dedicated Transit Hub, not in
application VPC
• High speed traffic routing for spoke VPC
• High availability is built-in natively
Transit Hub
AZ1 AZ2
Application VPC
VPC
23
24. Viptela Confidential24
Cloud onRamp for IaaS
How it works
Internet
Branch
DC
MPLS
Public Cloud (AWS) connectivity solution consumable through the vManage platform
vManage
Platform
Public cloud credentials
added to vManage
vManage invokes
instantiation of vEdge
instances in users
accounts & connects
IaaS instances to vEdge
GW VPN segments
IaaS instances are
discovered from users
account in a region.
User selects instances
to operate on
New instances can
be discovered and
mapped to VPN
segments later
Public Cloud Provider 1 Region 1
IaaS instances
IaaS instances
vEdge GW
User defines vEdge
gateway parameters and
maps IaaS instances to VPN
segments in the overlay
vManage Cloud onRamp for IaaS app: A vManage
application that orchestrates connectivity to IaaS
instances across multiple cloud and multiple regions.
Provides visibility into cloud instances.
vEdge Cloud Router: A virtualized
version of the vEdge router. Available
on the AWS and Azure marketplace.
25. Viptela Confidential25
Cloud onRamp for SaaS
Regional
internet exit
Branch with
local DMZ
Data
Center/DMZ
vFabric
httping probes
SaaS traffic primary
SaaS traffic backup
Cloud onRamp for SaaS Gateways: vEdge routers monitoring
service availability to SaaS apps.
vManage Cloud onRamp for SaaS app: A vManage application
provides visibility into SaaS performance and availability from the
branch.
• User designates Cloud onRamp gateways which can be remote
DMZs or local CPE (DIA case)
• SLA metrics are computed by using httping based probes to the
SaaS endpoint through the Cloud onRamp gateway
• Per application SLA metrics include loss and latency
• Application aware routing to SaaS end-point from gateway routers
• Path experiencing better SLA for the application is chosen
How it works
Viptela Quality of Experience (vQoE) score: Provides visibility into
application QoE based on realtime probes. vQoE information influences
routing decisions on vEdge routers
26. Viptela Confidential26
Why Cloud Connect ?
• Proven methodology – Transforming to deliver business outcomes based on
adoption of capabilities via cloud technologies
• Ease of management- Easy management and administration due to
consistency of the solutions between on prem and public cloud
• Integrated Security - Most comprehensive security and networking features
and services that leverage existing infrastructure
• Seamless transition to cloud environments by extending enterprise grade
networking & security from on-prem to cloud
• Best-in-class SD WAN with security - Viptela with Umbrella
• Best Network flow monitoring and threat analytics
27. Q: Where can I find the CSR on AWS?
A: In the AWS marketplace!
1. Search for “Cisco”
2. Pick a flavor
27