coip (cloud over ip): the future of hybrid...
TRANSCRIPT
Copyright © 2014-2015 Zentera Systems, Inc. 1
The Cloud is Now a Critical Part of Enterprise Computing
How the Cloud is Being Used Today
The cloud is seemingly everywhere these days. For enterprises, the cloud offer advantages in DevOps (i.e.,
development and operations of applications) as well as meeting the demand for elastic computing. Additional
drivers of cloud adoption are the need for high-performance computing, datacenter wholesale or partial
migration, i.e., “lift & shift”, and secure hybrid applications that combine enterprise and cloud computing.
The Public Cloud Lowers Infrastructure and Operations (I&O) Costs Dramatically
One approach to leveraging the cloud is to create a private, enterprise-only implementation. However, private
cloud implementations have been constrained by their need for deep expertise, IT resources and capital
investment. Consequently, enterprises are leveraging public cloud datacenter offerings to avoid expensive capital
investments (CapEx) as well as to accelerate the time-to-production of applications. Widely-used IaaS cloud
vendors such as AWS and Microsoft Azure can offer low-cost cloud resources due to their large aggregated
datacenter volumes and aggressive pricing, allowing enterprises to treat the cloud as an operating expense
(OpEx).
The Cloud Ecosystem is Rich and Growing
The overwhelming business benefits of cloud adoption are driving the emerging cloud ecosystem, which is
helping enterprises migrate their applications and datacenters to public or outsourced facilities. For instance,
MSPs (Managed Service Providers), VARs (Value Added Resellers), SIs (System Integrators), and cloud market
place and brokerage vendors are supporting enterprises in moving their on-premise applications to managed
hosted datacenters, multi-tenancy cloud datacenters, or hybrid implementations. The cloud industry is becoming
a sophisticated ecosystem, and it calls for new technologies.
CoIP (Cloud over IP): The Future of Hybrid Networking An overlay virtual network that connects, protects and shields
enterprise applications deployed across cloud ecosystems
Copyright © 2014-2015 Zentera Systems, Inc. 2
The Cloud Ecosystem Faces Technology Challenges
As companies start to leverage this emerging cloud ecosystem, they are encountering a number of challenges.
Hybrid cloud infrastructure (IaaS) deployments require significant re-engineering and customization of corporate
network, compliance and security infrastructure. Today, enterprises may spend many months, depending on
their existing network and information security (InfoSec) infrastructure complexity, to complete a single hybrid
deployment for one or a few applications, much less multiple deployments.
This section describes the network and InfoSec challenges that the cloud ecosystem must address to make
hybrid cloud adoption less complex and time-consuming as well as more reliable and secure.
Enterprises Do Not Control Infrastructure Within Cloud Islands
The public cloud vendors have evolved disparate and unstandardized infrastructures, which operate as
segregated Cloud Islands. Furthermore, these cloud islands are controlled by different service provider
administrations, which do not make their proprietary infrastructures directly accessible to enterprises.
Within these cloud islands, enterprises have limited control over the lower-level physical or virtual cloud
infrastructure, due to service providers’ security and SLA constraints. The enterprise controls are at the
virtual machine (VM) level and above, as shown in Fig. 1, below. The lower-level infrastructure – the
physical IP network, the cloud orchestration layer, and the virtualization hypervisor controller – is accessible
only via cloud service provider-specific APIs.
Figure 1 .Cloud Infrastructure Currently Operates as Disparate “Islands”
Rather than having to manage cloud islands with limited and differing access controls, enterprises want a
virtual single-tenancy solution, under enterprise control, that operates consistently on any public cloud.
This would allow companies to apply their best network, compliance and InfoSec practices while simplifying
cloud adoption.
Copyright © 2014-2015 Zentera Systems, Inc. 3
Enterprises Want a Unified Network Fabric to Support Application Portability
As part of corporate best practices, most enterprises have customized their internal L2/L3 IP networks as a
unified fabric to support applications with network transparency. When enterprises extend their network
and computing infrastructure to the public cloud, establishing network transparency is difficult; most cloud
vendors provide their own, non-standard methods and controls for setting up L2/L3 networks. Therefore,
moving applications to the cloud requires additional customization efforts.
These efforts are required to maintain perimeter-based security, sometimes referred to as “hard shell, soft
core”: protecting the enterprise with a strong (“hard”) network boundary and a flat (“soft”) internal
network fabric. These perimeters can surround hundreds or thousands of applications, supported by
networks that were not designed to allow cloud-based access. Therefore, it is difficult to allow one hybrid
application to access the cloud without compromising the security of the rest of the applications—the
“breaking hundreds while moving one” problem. The customization efforts needed to avoid this problem
can be substantial enough to prohibit widespread cloud adoption.
How can these challenges be addressed elegantly and cleanly? In the next section, virtualization is presented as
the way to controlling the hybrid network infrastructure and provide a single unified network fabric in hybrid
cloud environments.
Cloud over IP – The New Network Virtualization
In the computing industry, abstraction and virtualization have played an important role in the commercial
adoption of new, more efficient and straightforward uses of computing resources. Virtualization technology has
made great advancements in the past decade, from server virtualization, to IO virtualization, and then to
network virtualization, as shown in Fig. 2.
Figure 2. Virtualization Enables New IT Functionality
These virtualization technologies have significantly improved efficiency within a datacenter by virtualizing the
lower level stacks. When enterprises migrate applications to the cloud, there is a need for cross-domain
virtualization technology that abstracts the enterprise and cloud network infrastructure into a unified network
Copyright © 2014-2015 Zentera Systems, Inc. 4
plane and is agnostic to the underlying infrastructures. Cross-domain virtualization is starting to appear; for
example, container technology is a recent virtualization solution that allows applications deployed inside a
container to run on top of any hypervisor in any cloud.
The next piece of the puzzle is the virtual network that extends across cloud ecosystems. The solution for cloud
ecosystems is the next generation virtual network, Cloud over IP (CoIP), which spans across the boundaries of
cloud datacenter administrations, using but not changing the underlying IP networks as the forwarding fabric.
CoIP presents one unified network fabric to applications, as if all resources were deployed in one enterprise
network. CoIP is controlled and managed by the enterprise. It applies to cloud datacenters and enterprise on-
premise environments across hybrid cloud ecosystems.
CoIP is Like VoIP for the Cloud
VoIP (Voice over IP) technology revolutionized phone technology starting in the early 2000s. VoIP is an L4/L5
session and transport layer network that overlays on top of IP networks for phone connection and voice
transport. Its ease of deployment and range of functionality significantly improves enterprise productivity while
simplifying deployment and lowering costs.
Similarly, CoIP is an L4/L5 session and transport layer network that overlays on top of segregated IP networks
(i.e., cloud islands), connecting endpoint servers, VMs and containers while using IP networks to transport client-
server packets across cloud ecosystems. CoIP does not require any southbound protocol integration or IP
network reconfiguration. Table 1 compares VoIP and CoIP.
VoIP CoIP
Network
Technology
L4/L5 Session and Transport
Network
L4/L5 Session and Transport
Network
Network Port 5060, 5061 for SIP 443 for CoIP WAN, 9797 for CoIP LAN
System
Boundary Network
Endpoint
IP PBX
Border Session Controller
IP Phone
CoIP Controller
Virtual Transport Switch
Server, VM, container, edge gateway
Addressing Portable IP phone number Overlay IP address & private routing
Content Voice Any L4-L7 application packets
Security Call control Policy control, private routing & transport
encryption, chamber firewall
Deployment Extremely fast Extremely fast
Table 1. VoIP and CoIP Comparison
Copyright © 2014-2015 Zentera Systems, Inc. 5
CoIP Provides Hybrid Network Benefits
CoIP enables several critical benefits as described below.
Enterprises Can Control CoIP Virtual Networks Across Cloud Ecosystems
CoIP operates in the OS (operating system), one layer above the virtualization hypervisor, and as a result it is
similar to container technology: it is agnostic to the cloud datacenter and operates within the enterprise-
controlled layers. Figure 3 illustrates the cloud stack with the CoIP layer.
Figure 3. Cloud over IP is the Next Level of Cross-Domain Virtualization
CoIP is a High-Performance Overlay Virtual Network
CoIP is an overlay network that is completely decoupled from the underlying L2/L3 IP network fabric. It
performs high-speed transport forwarding and does not replace or disrupt the underlying IP switch network.
The datacenter physical network fabric has its own critical scalability requirements for high performance
switching; CoIP is architected to align with those present or future high performance requirements without
replacing L2/L3 switching and routing. Note that this architecture is fundamentally different from hypervisor
networks such as Open vSwitch. Figure 4 presents the CoIP network stack and where it applies to
northbound applications and southbound L2/L3 networks.
Applications are Portable Using CoIP
Many enterprise legacy applications are coupled with physical network and security settings. As a result, the
physical network implementation can limit the portability of applications to the cloud. CoIP has a unique
capability for private network routing with its own IP addresses above the cloud; therefore, it can easily
support application portability. This is similar to VoIP, which enables any IP phone number to operate
anywhere in the world, decoupled from the location constraints of phone numbers tied to physical telecom
Copyright © 2014-2015 Zentera Systems, Inc. 6
equipment. As a result, CoIP allows straightforward assignment and routing for any public or private IP
address – anywhere in the world – without constraints due to IP collisions or routing table configurations.
CoIP’s overlay virtual network model enables applications to be ported, or migrated, to any cloud.
Figure 4. CoIP Overlay Network Architecture
CoIP Allows Extremely Fast Hybrid Network Deployment
CoIP is decoupled from the underlying IP networks and it involves no hardware. CoIP does not require
enterprises to open firewall ports or use VPNs. It is an add-on software network and therefore can be
deployed extremely quickly. Enterprises can deploy a CoIP network in days, rather than months or years, to
connect applications across a cloud ecosystem.
In addition to the benefits described above, CoIP also supports enterprise-grade security for hybrid networks, as
addressed in the following section.
Using CoIP Securely Shields Cloud Deployments
Security is a critical consideration when enterprises are deploying IT infrastructure to the cloud. As described
above, maintaining perimeter security when setting up a hybrid network using conventional methodologies is a
significant and costly challenge. Furthermore, security can be compromised in this process in subtle and
damaging ways without being detected. CoIP as the new virtual network paradigm offers an additional layer of
security on top of its fundamental capability of maintaining existing security for both the enterprise network and
its applications while migrating to the cloud.
Copyright © 2014-2015 Zentera Systems, Inc. 7
CoIP Features Support the Application Shield in the Cloud
CoIP allows an enterprise to easily shield an application by allowing only specified IP addresses to connect with
the overlay network. These IP addresses include the endpoints implementing this application and the IP
addresses that the application connects to within the physical network. Other applications in the same
enterprise network cannot get into, or hack through, the CoIP implementation; as well, the application running
inside the CoIP implementation cannot connect to endpoints on the enterprise network unless specifically
permitted by the CoIP network.
The key CoIP features that support the application shield are as follows:
Private routing on the CoIP network plane
Specified physical IP addresses allowed to bridge to CoIP routing via CoIP Edge Gateway
CoIP transport encryption for LAN and WAN traffic
Firewalls automatically enforced on all CoIP endpoints
CoIP is fundamentally a virtualization technology that is scalable. The CoIP application shield is decoupled
vertically from the underlying network infrastructure. It is also decoupled horizontally from other CoIP
implementations. Since each CoIP implementation is closed and private, enterprises can build multiple CoIP
implementations on the same physical network environment without worrying about CoIP address conflicts
among them.
CoIP Keeps Enterprise Physical Security Perimeters Intact
An enterprise perimeter-based firewall system—the “hard shell, soft core” described above—is a critical element
in protecting enterprise boundaries. As discussed in an earlier section, when enterprises start to migrate
applications to the cloud, it is important to maintain the existing security implementation without disrupting the
status quo.
CoIP technology allows enterprise IT to meet this goal without having to open any “pinholes” on corporate
firewalls. CoIP WAN transport initiates outbound traffic using just port 443. CoIP architecture is designed to work
with most existing enterprise firewall policies without change.
When the CoIP implementation is ported over a hybrid cloud environment, it is totally under secure control by
the enterprise that owns it. The CoIP implementation is a closed, private network that is securely shielded for
specifically allowed applications.
Copyright © 2014-2015 Zentera Systems, Inc. 8
CoIP is the Next Paradigm for Cloud Ecosystems
Figure 5. The Cloud over IP Network
Cloud over IP (CoIP) is the next-generation virtual overlay network that is secure, portable, easy to implement,
and does not disrupt the existing enterprise network or perimeter security infrastructure. CoIP implements an
overlay network for hybrid cloud applications that enables migration from the enterprise to the cloud while
shielding applications running in a hybrid cloud environment. In sum, CoIP provides the cloud ecosystem with
the security, ease of deployment and accelerated time-to-production that will drive widespread cloud adoption.
The future is CoIP and it is here now, as shown in Fig. 5, the CoIP network.
Authored by Jaushin Lee, Ph.D., and CEO, Zentera Systems
All trademarks herein are the property of their respective owners.