"How overlay networks can make public clouds your global WAN" by Ryan Koop of CohesiveFT at LASCON
The presentation "How overlay networks can make public clouds your global WAN" presented by Ryan Koop on Oct 24, 2013 at LASCON in Austin, TX.
Enterprises, organizations and governments are realizing the benefits of cloud flexibility, cost savings, scalability and connectivity. Yet the traditional approach focuses too much on the underlying infrastructure, instead of the applications.
So who is making solutions for the people who work at the application layer? Are software-defined things secure?
With a focus on application-layer integration, governance and security, overlay networks let developers, and the enterprise apps they work with, use the public clouds as a global WAN network, not just extra storage.
Developers can build on top of overlay networking to extend traditional networks to the cloud with added security such as encryption, IPsec connections, VLANs and VPNs into the public cloud networks.
Prime examples are the previously cost-prohibitive projects can now use public clouds as global points of presence to create cloud WAN to partners and customers.
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"How overlay networks can make public clouds your global WAN" from LASCON 2013
1. How overlay networks can
make public clouds your
global WAN
Ryan Koop, CohesiveFT
copyright 2013
1
@cohesiveFT
#LASCON
Thursday, October 24, 13
2. Oh, hello
copyright 2013
2
During Business Hours++
Ryan Koop
@ryankoop
Director of Product & Marketing, Co-founder
Ryan is responsible for product development and manages teams for public
relations, international events, and content marketing. His role spans the
technical product development, customer support, business development
and thought leadership needs of a growing company.
Before CohesiveFT, Ryan worked at a trading platform software company
in the US Derivative Markets.
After Hours
NAME Ryan Koop
CLUB Royal Fox CC - Men
LOCAL# 2024 Assoc# 20005661
EFFECTIVE DATE 10/15/2013
SCORES POSTED 12 USGA HDC INDEX
18.9
SCORE HISTORY - MOST RECENT FIRST
1 96*I 98 I 95*I 89*AI 96*AI
6 95*AI 99 H 99 I 99 AI 94*I
11 97 H 96*I 106 A 97 H 95 H
16 97 I 94*H 91*H 96 I 94*H
Chicago District Golf Association - www.cdga.org
Ryan Koop
2013 GOLD MEMBER
Thursday, October 24, 13
3. Agenda
copyright 2013
3
•Background - Cloud and networking experience
•Cloud Market and Players
•Moore’s Law and Cloud WAN Costs
• Traditional WAN vs Cloud WAN
•Case Studies - Customers Building Cloud WANs
•My CloudWAN
@cohesiveFT
#LASCON
Thursday, October 24, 13
5. Where we fit
copyright 2013
• Cohesive Flexible Technologies Corp. (CohesiveFT)
• Founded in 2006 by IT and capital markets
professionals
• First product launched in 2007 with multiple
product revisions each year
• Customers have secured 80M virtual device
hours in public, private, & hybrid clouds
• Offices in Chicago, London, Belo Horizonte and
Palo Alto
• Connect apps to cloud IaaS and provide network
interoperability and virtual image interoperability
• Software defined network (SDN) enables
applications to be deployed to or across any public
or private cloud
• Enterprise image management allows customers to
import, transform and deliver their server images
to the cloud
• Enable enterprises to run business operations in
the cloud helping migrate and extend both
customer facing systems and internal operational
platforms
5
Who We Are What We Do
Thursday, October 24, 13
6. Even your mom knows about cloud
copyright 2013
6
Network
Storage
Compute
SaaS
PaaS
IaaS Google
Thursday, October 24, 13
7. Buzz word Bingo!
•Overlay Networking - CohesiveFT term for NFV, 5+ years old
•Network Function Virtualization (NFV) - new hotness
- Network independent from hardware runs in virtual layer
- Isolation between the virtual network, physical network adn control plane
- Programmatic networking provisioning and control
• Software Defined Networking (SDN) - Capital B Billion
- Networks that can be configured through an API
- OpenFlow (Nicira) pure view is separation of a
control plane from forwarding plane
- What is managing the network vs what moves
the packets around the network
copyright 2013
7
SDN
OpenFlow
NFV
@cohesiveFT
#LASCON
Thursday, October 24, 13
8. (Network) Control is King
copyright 2013
Application-Centric SDN
• Help me run my business in the
cloud NOW.
• Extends control of application
owner from data center to cloud
Infrastructure SDN
• Optimizes service provider
data center operations
Application
Layer
Virtual
Layer
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1
Layer 0
Limit of user access, control and visibility
Application Owner Cloud Owner
Hardware
Layer
VNS3
Alcatel
@cohesiveFT
#LASCON
7
Thursday, October 24, 13
9. No security without NFV
Overlay Network Appliances
• Allow control, mobility & agility by separating network location and network identity
•Control over end to end encryption, IP addressing and network topology
Firewall
Dynamic & Scriptable
Router Switch
Protocol Redistributor SDN
copyright 2013 8
IPsec/SSL VPN
concentrator
NFV
Hybrid virtual
device able to
extend to
multiple sites
Thursday, October 24, 13
10. Defense in Depth
copyright 2013
10
Cloud networks combine with user & provider firewalls
and isolation features to create a “security lattice” with
layers of security.
Some key security elements must be controlled
by the user but separate from
the provider.
Provider Owned/Provider Controlled
Provider Owned/User Controlled
VNS3 - User Owned/User Controlled
User Owned/User Controlled
Thursday, October 24, 13
11. Overlay Networks allow federated and hybrid clouds
US East 1 US West
Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F
Customer Remote Office Customer Data Center
copyright 2013
VNS3 1
VNS3 2
VNS3 3
VNS3 Overlay Network
Subnet: 172.31.0.0/22
Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21
Active IPsec Tunnel Active IPsec Tunnel
Failover IPsec Tunnel 192.168.4.0/24 - 172.31.1.0/24 192.168.3.0/24 - 172.31.1.0/24
Firewall / IPsec
Cisco 5505
Firewall / IPsec
Cisco 5585
Data Center Server Data Center Server
User Workstation LAN IP: 192.168.4.50 LAN IP: 192.168.4.100
LAN IP: 192.168.3.100
User Workstation
LAN IP: 192.168.3.50
Chicago, IL USA
Remote Subnet: 192.168.3.0/24
London, UK
Remote Subnet: 192.168.4.0/24
Public IP: 184.73.174.250
Overlay IP: 172.31.1.250
Public IP: 54.246.224.156
Overlay IP: 172.31.1.246
Public IP: 192.158.29.143
Overlay IP: 172.31.1.242
Peered Peered
11
Thursday, October 24, 13
13. Colo & Managed Hosting Locations
Locations as reported by providers @cohesiveFT
copyright 2013
13
#LASCON
Thursday, October 24, 13
14. Public Cloud Locations
copyright 2013
14
Locations as reported by providers
Cloud
@cohesiveFT
#LASCON
Thursday, October 24, 13
15. Economics of Distributed Computing Today
copyright 2013
@cohesiveFT
#LASCON
15
Thursday, October 24, 13
16. Compute locally or reach across the network to the public cloud?
Jim Gray’s "Distributed Computing Economics" Updated for 2013
copyright 2013
16
WAN
Bandwidth/mo. CPU Hours (All Cores) Disk
Items in 2003
1
Cost 2003
1
$1 buys in 2003
1
Item in 2008
2
Cost in 2008
2
$1 buys in 2008
2
Cost/Performance
Improvement
Cost to Rent $1 worth
on AWS in 2008
2
Cost to Rent $1 worth
on AWS in 2013
2008 to 2013 savings
1Mbps WAN Link 2 Ghz CPU, 2GB DRAM 200 GB (50MB/s)
$100/mo. $2,000 $200
1GB 8 CPU hours 1GB
100 Mbps WAN link
2 GHz, 2 socket, 4 cores/
socket, 4GB DRAM
1TB disk, 115MB/
sustained transfer
$3,600/mo. $1,000 $100
2.7GB 128 CPU hours 10GB
2.7x 16x 10x
$0.27-$0.40 $2.56 $1.20-$1.50
$0.15-$0.36 $0.832 (m1.xlarge spot
price x 16 hours)
$1 for EBS $0.95 for S3
10%-44% 67% 21%-33%
[1] Jim Gray, Distributed Computing Economics (Redmond: Microsoft Research), 63–68. Available from: http://goo.gl/NvQ7OX.
[2]Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy H. Katz, Andrew Konwinski, Gunho Lee, David A. Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia, Above the Clouds: A Berkeley View of Cloud (University of California, Berkeley: EECS Department), 12-14. Available from: http://goo.gl/veBurD.
Thursday, October 24, 13
17. Traditional vs Cloud WAN
There is plenty of cloud fluff, but the decision
usually comes down to the following:
1. hardware refresh cycle
2. project budget
3. organizational expertise
4. MBOs
5. revenue targets
6. job function/role
copyright 2013
@cohesiveFT
#LASCON
17
Thursday, October 24, 13
18. Traditional vs. Cloud WAN
copyright 2013
@cohesiveFT
#LASCON
18
Thursday, October 24, 13
19. Traditional WAN: Points of Presence
copyright 2013
19
Step 1: Shop for real estate
Step 2: Become an expert in facilities
management, A/C, construction, door
locks, etc
Step 3: Hire a team of 24x7x365
security guards
-OR-Sign
deals with Telco carriers
•Want more POPs?
- Start again at step 1
source: DatacenterKnowledge.com
source: Google.com
Thursday, October 24, 13
20. Cloud WAN: Points of Presence
Step 1: Sign up for a cloud account
Step 2: Enter credit card info
Step 3: Configure & launch in the region
of your choice
•Want more POPs?
- Change your settings
copyright 2013
20
Cloud
Thursday, October 24, 13
21. Traditional WAN: Network Kit
copyright 2013
21
Step 1: Call your hardware vendor
Step 2: Sign another contract
Step 3: Hire staff to install, test and
connect new hardware in your
data centers
-OR-Sign
deals with Telco carriers
•Want more compute?
- Prepare for budget shock, then start at 1
source: Colourbox.com
source: Cisco.com
Thursday, October 24, 13
22. Cloud WAN: Network Capacity
Step 1: Sign up for a cloud account
Step 2: Enter credit card info
Step 3: Configure & launch instances
of your choice
•Want more compute
capacity?
- Add more VMs
copyright 2013
22
Cloud
Thursday, October 24, 13
23. Traditional WAN: Leased Lines
Step 1: Shop for Telco carrier/vendors
Step 2: Sales Cycle
Step 3: Sign long-term, lock-in
agreements with vendors
•Want more network capacity?
- Call up your vendor’s sales team
copyright 2013
23
Telco
Network
Data Center Server
Firewall / IPsec
Leased lines
Regional Office
UK
LAN
Head Office
USA
LAN
Data Center Server
Data Center
USA
LAN
@cohesiveFT
#LASCON
Thursday, October 24, 13
24. Cloud WAN: Network
Step 1: Sign up for a cloud account
Step 2: Enter credit card info
Step 3: Configure & launch in the network
of your choice
•Want more network
capacity?
- Change your settings
copyright 2013
24
Cloud
Thursday, October 24, 13
25. Customer Use Cases
copyright 2013
@cohesiveFT
#LASCON
25
Thursday, October 24, 13
26. Multi-tenant cloud-based partner network
Cloud Region A Cloud Region B Cloud Region C Cloud Region D
Virtual Machine
copyright 2013
Connecting mobile
banking customers to
a common cloud-based
infrastructure.
Highlights:
Online & mobile banking company needed
connectivity solution to meet regulatory
requirements.
Financial customers could use a "security
lattice" approach, encrypting their critical
data in motion
Enabled customer to serve end customers
from a common platform.
Multitenancy model allowed customer to
pass along cloud economies of scale.
26
Data Center Server
Encrypted IPsec Tunnels
Firewall / IPsec
Home Network
USA
VNS3
Customer Data
Center 2
USA
Customer Data
Center 1
UK
Data Center Server
Mobile Banking Platform
Data Center Server
Customer Data
Center N
USA
Customer Data
Center 3
UK
Data Center Server Data Center Server
Thursday, October 24, 13
27. Cloud WAN for global reach and redundancy
copyright 2013
Security Firm
extended offerings
with global cloud
points of presence.
Highlights:
Global reach for products and global
redundancy for security.
Needed secure connections to
existing data centers and networks.
Access critical infrastructure “in
region” without delays or capital of
physical resources.
Offered global redundancy at
dramatically lower cost than
traditional infrastructure.
Netherlands
Firewall / IPsec
Data Center Server
Data Center
APAC-1
Active IPsec Tunnels
Frankfurt, Germany
Customer 2
Tokyo, Japan
Workstations
Cloud WAN
Peered
US East Coast
VNS3
Manager
Peered
Customer 1
New York USA
Office
London, UK
Data Center Server Data Center Server
VNS3
Manager
VNS3
Manager
27
Thursday, October 24, 13
28. Pharmaceutical system federates infrastructure
Private Cloud
SaaS portal SaaS portal
copyright 2013
Cloud WAN
connectivity without
the expensive assets
or contracts.
Highlights:
Global reach for products and global
redundancy for security.
Needed secure connections to existing
data centers and networks.
Access critical infrastructure “in region”
without physical resources.
Offered global redundancy at dramatically
lower cost.
US-east-1
Firewall / IPsec
Data Center Server
Data Center
VNS3
Manager
Active IPsec Tunnels
New York, USA
Medical
Office 2
San Francisco, USA
US-west-1
Cloud WAN
Peered
VNS3
Manager
Peered
Medical
Office 1
Data Center Server
Customer
Hospital
Boston, USA
VNS3
Manager
Salt Lake City, USA
28
Thursday, October 24, 13
29. Federated SMS Network Patchworks in Africa
Nigeria Nigeria Ghana Uganda Uganda
VNS3
Manager
Public Cloud Public Cloud
copyright 2013
Cloud WAN
connectivity without
the expensive assets or
contracts.
Highlights:
Africa has over 700 million mobile phone
users, but SMS is separated by provider
Customer needed to integrate multiple
national carriers’ infrastructure on “virtual"
LAN
Build new virtual infrastructure without the
capital outlay and physical constraints
Overlay network and public cloud let them
compete like a global, connected telco giant
29
Cloud WAN
Data Center Server
SMS Advertiser’s
Platform
Firewall / IPsec
Data Center Server
Data Center
Lagos, Nigeria
Johannesburg, South Africa
Vodafone
Customer
Accra, Ghana
MTM
Customer
Accra, Ghana
Thursday, October 24, 13
31. I am a CloudTelco
copyright 2013
31
Thursday, October 24, 13
32. Coming Soon
copyright 2013
@cohesiveFT
#LASCON
32
Tin Can Telco
Big Brother and Telemarketers are not invited
source: charlespaolino.wordpress.com
Thursday, October 24, 13
33. Questions?
copyright 2013
CohesiveFT Americas
Chicago, IL USA
ContactMe@cohesiveft.com
888.444.3962
CohesiveFT Europe
London, UK
ContactMe@cohesiveft.com
+44 208 144 0156
33
cohesiveft.com/blog
cloudcamp.org
Thursday, October 24, 13
35. Cloud Address Control
Problem:
• Enterprise software uses multicast protocols for service
election and service discovery.
• Many public cloud providers block multicast protocols at
the user layer.
VNS3 Solution:
• Control static addressing of your cloud servers
• Local Area Network (LAN) address extension to the cloud
• Servers and Topologies behave as though the are running
copyright 2013
locally
• Application centric network is portable
35
Public Cloud
Region 1
Overlay Network
Cloud Server Cloud Server
VNS3 Manager
Overlay IP: 172.31.11.xx
Standard IPsec Tunnel
Firewall / IPsec Device
IP: 192.168.1.xx
Data Center Servers
LAN
Customer Data Center
@cohesiveFT #LASCON
Thursday, October 24, 13
36. Cloud Protocol Control: Multicast
Problem:
• Enterprise software uses multicast protocols for service
election and service discovery.
• Many public cloud providers block multicast protocols at
the user layer.
VNS3 Solution:
• Send multicast traffic via VNS3 overlay network before it is
rejected by underlying network infrastructure.
• Control all your protocols with VNS3.
copyright 2013
Overlay Network
Cloud Server Cloud Server
Standard IPsec Tunnel
Public Cloud
Region 1
Firewall / IPsec Device
Data Center Servers
VNS3 Manager
LAN
Customer Data Center
36
@cohesiveFT #LASCON
Thursday, October 24, 13
37. Cloud Security Control: IPsec Tunneling
Problem: Public Cloud is accessed via public internet.
VNS3 Solution:
• Extend your network with industry standard IPsec.
• Use your existing network security appliances (Cisco,
Juniper, Netscreen, SonicWall).
• Use your existing secure communication methods/practices
the same as you currently connect offices, data centers or
partners/customers.
copyright 2013
Cloud Server Cloud Server
Standard IPsec Tunnel
Public Cloud
Data Center Servers
Data Center
Region 1
VNS3 Manager
LAN
Firewall / IPsec Device
Overlay Network
37
@cohesiveFT #LASCON
Thursday, October 24, 13
38. Cloud Security Control: Multiple IPsec
Problem: Cloud providers limit the number of
IPsec connections.
VNS3 Solution:
• VNS3 Manager enables multiple IPsec connections to a cloud-based
copyright 2013
overlay network segment.
• Serves as user-controlled, virtualized switch/router (uSwitch)
inside the provider cloud.
• Cloud deployed servers can communicate with multiple IPsec
gateways via endpoint-to-endpoint encrypted connections.
Public Cloud
Region 1
Overlay Network
Customer
Site N
Cloud Server
Standard IPsec Tunnel
Multiple
IPsec Devices
Cloud Server
Customer
Site 2
Customer
Site 1
VNS3 Manager
38
@cohesiveFT #LASCON
Thursday, October 24, 13
39. Use Existing Monitoring Tools
Problem: Cloud deployments cannot be connected
to existing network operations center.
VNS3 Solution:
• Use your existing monitoring tools for cloud deployments.
• VNS3 allows you to use your existing NOC to monitor
and manage devices in the data center and the cloud.
copyright 2013
Public Cloud
Overlay Network
Cloud Server
Standard IPsec Tunnel
Region 1
Cloud Server
VNS3 Manager
Virtual Network
Data Center Servers
Firewall / IPsec Device
Data Center Servers
Customer Data Center
39
@cohesiveFT #LASCON
Thursday, October 24, 13
40. Customer-Partner Networks in Public Cloud
Problem: Securely connect customers, partners or
branches to specific servers in shared infrastructure.
VNS3 Solution:
• Industry standard secure connectivity to isolated
servers in public cloud.
• Data in motion in the public cloud is encrypted.
copyright 2013
Partner Data Center
EMEA
Customer 2
USA
Customer 1
APAC
Active IPsec Tunnels
Firewall / IPsec
Customer - Partner Network
Private Cloud Server Phsyical Data Center
Node
Cloud
Deployment
Public Cloud
Region 1
VNS3 Manager
40
@cohesiveFT #LASCON
Thursday, October 24, 13
41. VNS3 is a combination of 6 device types
Leading Application SDN (Software Defined Network) Appliance
• Allows control, mobility & agility by separating network location and network identity
•Control over end to end encryption, IP addressing and network topology
Firewall
Dynamic & Scriptable
SDN
copyright 2013
Router Switch
Protocol
Redistributor
IPsec/SSL VPN
concentrator
VNS3
Hybrid virtual
device able to
extend to
multiple sites
41
Thursday, October 24, 13