This document discusses how software-based networking and security solutions can help address challenges of providing cloud services. It outlines how virtualizing networking functions within hypervisors can provide security between workloads while eliminating latency and scaling more easily compared to legacy virtual datacenter approaches. It also describes how leveraging virtual networking appliances in AWS VPCs allows creating secure connectivity between cloud and on-premise environments or between different cloud regions.
2. WHY USE CLOUD SERVICES?
No CAPEX, low operational cost
Fast, flexible, elastic
You can focus on business
2
3. WHY OFFER CLOUD SERVICES?
Significant increase in demand
Faster time-to-market for new services
Higher value = greater revenue
3
4. CLOUD NETWORKING CHALLENGES
Hardware limitations – cost, inflexibility
Scale services
Minimize latency
Connect securely to DC
Maintain security policy and compliance
Decrease complexity
Automate provisioning
4
5. STEP 1: VIRTUALIZE
BORDER ROUTER
FIREWALL
VPN
INTRUSION PREVENTION
SWITCH
10.0.0.0/24
WEBSERVERS
10.3.0.0/24
APPS & STORAGE
ENTERPRISE DATACENTER 10.4.0.0/24
- UNDER-UTILIZED HARDWARE
DATABASE
- NO AUTOMATION IN NETWORK MAINTENANCE
- EXPENSIVE TO SCALE
- HARD LIMITATIONS FORCE OVERPROVISIONING
5
6. VIRTUALIZATION STALL
Web Servers Applications Database
VLAN2 VLAN1 VLAN2 VLAN1 VLAN2
VLAN1
vSWITCH
Hypervisor 1 Hypervisor 2 Hypervisor 3
System ACCESS
SWITCH
Network
AGGREGATION
SWITCH
FIREWALL
LEGACY VIRTUAL DATACENTER
CORE
- LATENCY
- NO PROTECTION BETWEEN VLANS BORDER ROUTER
- NOT SCALABLE
- HARDWARE FIREWALL COSTS
- REQUIRES NETWORK ADMIN TO INSTALL / SCALE
6
7. IN-HYPERVISOR NETWORK SECURITY
Web Servers Applications Database
VLAN2
VLAN1 VLAN2 VLAN1 VLAN2
VLAN1
vNIC vNIC vNIC
vSWITCH
Hypervisor 1 Hypervisor 2 Hypervisor 3
System ACCESS
10.0.0.0/12
SWITCH
Network
VIRTUAL DATACENTER W/ VIRTUAL APPLIANCE
ALL TRAFFIC IS INSPECTED WITHIN HYPERVISOR SWITCH
- FIREWALL PROTECTS ALL TRAFFIC DIRECTIONS
AGGREGA
TION
ELIMINATES LATENCY FIREWALL
INTER-VLAN TRAFFIC INSPECTION
BORDER ROUTER
- PER-TENANT DEDICATED NETWORK CONTROLS
PROVISIONED ON DEMAND
7
8. APPLICATION ON-BOARDING
Data Center Cloud Environment
VM
App Servers Web Servers Database Servers
VM
VM Application
VM Workload VM VM VM
VM
VM VM VM VM
VM VM VM
VM Other Tools WAN
VM TestDev
vSwitch
VM VM Management Hypervisor
VM VDI
VM VM
Active Directory DNS Vyatta Vyatta
L2 GRE Tunnel
+
IPSec VPN or OpenVPN (SSL)
8
9. APPLICATION ON-BOARDING
Enterprise Data Center Cloud Environment
VM
VM
VM
Database Tier
Compliance /
Application Tier
Trust Model
Preserved Web Services Tier
VM
VM
VM
VM Other Tools VM
WAN VM
VM TestDev VM
Physical vSwitch
N-Tier VM VM Management
Hypervisor
VM VDI
VM VM
Active Directory DNS Vyatta Vyatta
L2 GRE Tunnel
+
IPSec VPN or OpenVPN (SSL)
9
10. LEVERAGING AMAZON
VPN
Cloud Bridge
s NAT + Firewall
er
rv
Se
Remote Workers
eb
W
Public
Enterprise Datacenter
Internet
Vyatta AMI VM VM
VPC
s
er
VM VM
Internet
rv
Se
Gateway V
e
VM
M
bas
ta
Private
Da
Private or Public Cloud
VYATTA AMI – COMPLETE NETWORKING IN AMAZON VPC
AGGREGAT
- NO LIMIT TO # OF VPN TUNNELS
ION
- SECURELY CONNECT INTO MULTIPLE VPCs FROM A SINGLE
- CREATE FULL VPN MESH BETWEEN MULTIPLE VPCs
- SECURELY BRIDGE CLOUD TO CLOUD OR DATACENTER TO CLOUD
- SINGLE INTEGRATED PACKAGE OF FW, VPN, IPS, URL FILTERING, FULL LAYER 3
10
11. Vyatta Enterprise With Vyatta
ROUTER
FIREWALL
VPN
IPS
SWITCH
10.0.0.0/24
WEBSERVERS
10.3.0.0/24
APPS & STORAGE
10.3.0.0/24
VYATTA ENTERPRISE DATACENTER
10.4.0.0/24
NETWORK EDGE AND LAN COMPRISED OF STANDARD x86-
BASED SYSTEMS APPS & STORAGE
and VYATTA SOFTWARE
- LEVERAGE STANDARD x86 SERVER HARDWARE
DATABASE
- MODERN QUAD CORE + SYSTEMS DELIVER 10Gbps
PERFORMANCE 10.4.0.0/24
- SYSTEM SCALABILITY USING STANDARD COMPONENTS
- SOFTWARE – BASED UPGRADE PATH
- COST A FRACTION OF COMPARABLE CISCO / JNPR GEAR
DATABASE
11