Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(NET208) Enable & Secure Your Business Apps via the Hybrid Cloud on AWS

1,535 views

Published on

Learn how to enable and support data migrations in AWS and keep your business applications highly secure, whether you are migrating your IT infrastructure to the cloud, migrating your business applications to the cloud, or simply moving traffic on AWS between different Availability Zones. Our real-world use cases include securing your critical business applications in AWS by deploying vSRX as a perimeter firewall for VPC instances, and enabling secure transport and routing for hybrid cloud deployments using IPSec VPNs on vMX.  Session sponsored by Juniper Networks.

Published in: Technology
  • Be the first to comment

(NET208) Enable & Secure Your Business Apps via the Hybrid Cloud on AWS

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. October, 2015 NET208 Enable and Secure Your Business Applications via the Hybrid Cloud in AWS Shishir Agrawal - Juniper Networks Sr. Manager, Product Management, vSRX ssagrawal@juniper.net Ariful Huq – Juniper Networks Sr. Manager, Product Management, vMX ahuq@juniper.net
  2. 2. What to Expect from the Session • Trends and challenges in migrating to hybrid cloud • Learn about solutions to address these challenges • Routing capabilities between public cloud instances • Secure transport to the public cloud • Security against advanced threats and staying compliant • Demo on how to address these challenges in AWS and a do-it-yourself solution For your 60 minutes
  3. 3. 91% 70 % Nearly 70% of enterprises will pursue the hybrid cloud by 2015** 91% of net new software was built for cloud delivery in 2014*** The cloud is changing the way enterprises work and transforming the way IT and business processes are delivered. 2017 25% CAGR 28% CAGR 24% CAGR Private Cloud IaaS/PaaS SaaS/BPaaS Cloud Market Opportunity* 25% CAGR through 2017 By 2017, cloud spend will be $392B *Source: IBM Market Insights, 1H 2014 **Source Gartner, p.6, Private Cloud Matters, Hybrid Cloud is Next, Gartner G00255302, Sept 6, 2013 ***Source: IDC Directions, “How SaaS Gets Built” Doc # DR2014_T3_RM March 2014 Cloud statistics
  4. 4. Cloud inhibitors .7 1.3 16.7 18.7 21.3 22.7 24.0 26.0 27.3 28.0 28.0 30.0 41.3 Other None Lack of tools to… Current network… Cloud cannot support… Reduced… Will cost too much to… Hard to integrate with… Reliability concerns:… Dependency on… Lock-in to a single… IT governance issues Security concerns Employee size 100-999… 4 4.6 17.2 17.9 18.5 18.5 22.5 26.5 28.5 29.1 31.8 34.4 48.3 Other None Lack of tools to… Reduced… Expensive Limitation of current… Not suitable for… Hard to integrate with… Service provider lock-… Dependency on… IT governance… Reliability concerns:… Security concerns Employee size 1000+ (N=151) Q. Which does your organization consider the most IMPORTANT INHIBITORS to your organization's increased usage of cloud services? N=301 Base: All respondents Source: IDC’s Multi-Client Report: Enterprise Cloud Connect, 2015 Key Inhibitors: Security, Reliability, & IT governance
  5. 5. Business edge & enterprise networks evolving • Applications & workloads shifting to public cloud providers such as AWS. This shift requires: • Secure transport to the public cloud • Secure perimeter gateway providing same next-gen firewall capabilities as on-premises solutions • Routing capabilities between public cloud instances in case of geo- redundancy Trends
  6. 6. Enabling public cloud migration Customer Challenges CE Provider MPLS Network Internet PE PE PE PE Amazon PE Amazon PE Scalable Secure Transport with full mesh capabilities from multiple enterprise locations to public cloud instance Routing between VPC instances across AWS regions for geo- redundancy and high availability Operational consistency between on-premises and cloud gateway Redundant gateway for high availability within an AWS region Visibility, Analytics, and Troubleshooting capabilities of the cloud gateway VPC instance VPC instance AWS Region A AWS Region B Ensure Quality of Service for specific types of traffic Direct-Connect
  7. 7. Enabling public cloud migration Solution: Scale-Out Virtual Router in the VPC Virtual Private Cloud Availability ZoneAvailability Zone VPC Subnet VPC Subnet Customer Gateway Customer Network New York VPN Router Virtual Private Gateway Customer Gateway Customer Network Chicago VPN Customer Gateway Customer Network Los Angeles VPN Utilize a scale-out virtual router instead To remediate the challenges highlighted we augment a VPC deployment with a Scale-Out Carrier Class Virtual Router
  8. 8. Enabling public cloud migration Solution: Scale-Out Virtual Router in the VPC CE Provider MPLS Network Internet PE PE PE PE Amazon PE Amazon PE Scalable Secure Transport with full mesh capabilities from multiple enterprise locations to public cloud instance : Utilize IPSec VPN for any-to-any connectivity with scalable tunnel count and throughput capabilities. Operational consistency between on-premises gateway and cloud gateway : Carrier class operating system (JUNOS) with rich routing stack, automation capabilities (Chef, Puppet, Ansible, PyEz) and analytics (IPFIX, JFLOW) VPC instance VPC instance AWS Region A AWS Region B IPSec VPN Direct-Connect Virtual Router Virtual Router
  9. 9. Enabling public cloud migration Solution: Scale-Out Virtual Router in the VPC CE Provider MPLS Network Internet PE PE PE PE Amazon PE Amazon PE VPC instance VPC instance AWS Region A AWS Region B VXLAN over IPSec Routing between VPC instances across AWS regions and Enterprise locations for high availability: Dynamic routing (BGP) with Overlay Tunneling (VXLAN) capabilities creates seamless connectivity across all endpoints. Redundant gateway for high availability within an AWS region : Instantiate multiple instances of the scale-out virtual routing platform within a VPC instance to create redundant topologies. Use technologies such as BFD for end-to-end liveliness detection. Direct-Connect Virtual Routers Virtual Routers
  10. 10. vMX-A VPC Internet Gateway vMX-B EC2 Instances VPC Router Public Subnet Private Subnet Internet VPN Tunnels Route Table Enabling public cloud migration Deployment Scenario: Virtual Router as a Virtual Private Cloud (VPC) Gateway
  11. 11. Security: specific areas of concerns 11 N=135 Base: Respondents citing “security” as an important cloud inhibitor Source: IDC’s Multi-Client Report: Enterprise Cloud Connect, 2015 What are the specific inhibitors to your organization's increased usage of cloud services? 21% 24% 25% 29% 33% 39% 59% 67% Lack of visibility into cloud provider's… Shadow/rogue IT usage Job security for IT staff Denial of Service attacks Legal and regulatory compliance Unauthorized data access by cloud provider Security breach of the cloud provider's… Data protection Total (N=135) Data Protection, Security, and Compliance are Key Concerns
  12. 12. Secure migration to AWS hybrid cloud Use Cases Customer Challenges Migration of IT Services SaaS/Cloud Bursting Desktop as a Service Advanced Threat Protection Full-mesh secure connectivity Preserve IT compliance Leverage existing solutions Seamless migration experience
  13. 13. Solution: migration of IT services AWS VPC-Dev VPC-Prod US-West US-East On-Prem DC DevProd Policy A Policy B Policy A Policy B Full-mesh secure connectivity – IPSec VPN Preserve IT compliance – policy migration Leverage existing solutions – physical or virtual firewall Seamless migration experience – management & automation
  14. 14. Solution: SaaS/cloud bursting AWS VPC-Dev VPC-Prod US-West US-East On-Premises DC DevProd Policy A Policy B Policy A Policy B “Outside-in” Advanced Threat Protection – IPS, security intelligence, advanced anti- malware
  15. 15. Open security intelligence platform Customer-provided or Third-Party Threat Data Command & Control, GeoIP, Additional Intelligence Local Appliance or Service 1 2 3 4 5 Firewall Aggregated & optimized cloud-based threat intelligence1 Provide threat intelligence to customer premise2 Local/Customer data incorporated into solution3 Central management4 Intelligence distributed to firewall enforcement points5 Threat Intelligence Cloud Central Mgmt A framework that uses information from multiple sources to deliver improved security 6 Router/Switch Intelligence distributed to router/switch enforcement points6
  16. 16. Advanced anti-malware cloud service Advanced Anti-malware Cloud Service Malware Inspection Pipeline Cache Static Analysis Dynamic Analysis Internal Compromise Detection Identified Malware C&C Events Analytics Web-based Service Portal Licensing ReportingConfig & Mgmt Feed Analysis & Efficacy C&C GeoIP Custom Known C&C Servers Content (File) Extraction Fast Verdicts for In-line Blocking Threat Intel Events (C&C “Hits”) Firewall Quarantine Compromised Systems
  17. 17. Solution: Desktop as a Service (DaaS) AWS On-Premises DC “Inside-out” Advanced Threat Protection – Application Visibility & Control, User ID, Unified Threat Management
  18. 18. Application visibility and control Ingress Egress App Tracking  Understand security risks  Address new user behavior App Firewall  Block access to risky apps  Allow user-tailored policies App QoS  Prioritize important apps  Rate-limit less important apps SSL Proxy  SSL packet inspection IPS  Block security threats • Heuristics for evasive and tunneled apps • More application signatures • Open signature language
  19. 19. Virtual firewall: enable secure migration to AWS Foundation Next Generation Firewall Services Firewall VPN NAT Routing Application Control User-based Firewall Unified Threat Management Anti-virus Intrusion Prevention Web/Content Filtering Anti-malware Security Intelligence Command & Control GeoIP Feeds Custom Feeds Management Reporting Analytics Automation Core firewall features Advanced security services a
  20. 20. IPSec VPNIPSec VPN Providing protection and connectivity to customer hosted VMs Other VMWeb VMAPP VM DB VM Cloud Hosting Environment: Customer 1 Other VMWeb VMAPP VM DB VM vSRX Customer Premise 1 Customer Premise 3 Customer Premise 4 Customer Premise 2 CUSTOMER 1 CUSTOMER 3 CUSTOMER 4 CUSTOMER 2 Public Cloud Public Cloud Expedient: cloud hosting provider use case Copyright © 2015 Juniper Networks, Inc. vSRX dedicated to Customer 1
  21. 21. Call to action • vSRX – Juniper virtual firewall • vMX – Juniper virtual router • Download a 30-day free trial of vMX with complete routing stack: http://www.juniper.net/support/downloads/?p=vmx#sw • Download vSRX 60-day trial including advanced security services: • http://www.juniper.net/us/en/dm/free-vsrx-trial/ • vSRX on AWS expected to ship in the next few months • vMX on AWS expected to ship in the next few months • Stop by Juniper booth #403 to see demo of vSRX and vMX on AWS
  22. 22. Demo
  23. 23. Thank you!
  24. 24. Remember to complete your evaluations!

×