copyright 2013
How overlay networks can make public clouds your global WANRyan Koop, CohesiveFT
1
@cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
Oh, hello
2
During Business Hours++
Ryan Koop@ryankoopDirector of Product & Marketing, Co-founder
Ryan is responsible for product development and manages teams for public relations, international events, and content marketing. His role spans the technical product development, customer support, business development and thought leadership needs of a growing company.
Before CohesiveFT, Ryan worked at a trading platform software company in the US Derivative Markets.
After Hours NAME Ryan Koop CLUB Royal Fox CC - Men LOCAL# 2024 Assoc# 20005661 EFFECTIVE DATE 10/15/2013 SCORES POSTED 12 USGA HDC INDEX
18.9SCORE HISTORY - MOST RECENT FIRST
1 96*I 98 I 95*I 89*AI 96*AI6 95*AI 99 H 99 I 99 AI 94*I11 97 H 96*I 106 A 97 H 95 H16 97 I 94*H 91*H 96 I 94*H
Chicago District Golf Association - www.cdga.org
Ryan Koop
2013 GOLD MEMBER
Thursday, October 24, 13
copyright 2013
Agenda
3
•Background - Cloud and networking experience•Cloud Market and Players•Moore’s Law and Cloud WAN Costs• Traditional WAN vs Cloud WAN•Case Studies - Customers Building Cloud WANs•My CloudWAN
@cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
Cloud Market
4
@cohesiveFT#LASCON
Thursday, October 24, 13
<Disk ovf:allocationUnits="1073741824" ovf:capacity="8" ovf:capacityAllocationUnits="byte * 2^30" ovf:diskId="vmdisk1"
ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized"
ovf:populatedSize="1167196160"/> <Disk ovf:allocationUnits="1048576" ovf:capacity="1"
ovf:capacityAllocationUnits="byte * 2^20" ovf:diskId="vmdisk2" ovf:fileRef="file2" ovf:format="http://www.vmware.com/interfaces/
specifications/vmdk.html#streamOptimized" ovf:populatedSize="0"/>
copyright 2013
Where we fit• Cohesive Flexible Technologies Corp. (CohesiveFT)
• Founded in 2006 by IT and capital markets professionals
• First product launched in 2007 with multiple product revisions each year
• Customers have secured 80M virtual device hours in public, private, & hybrid clouds
• Offices in Chicago, London, Belo Horizonte and Palo Alto
• Connect apps to cloud IaaS and provide network interoperability and virtual image interoperability
• Software defined network (SDN) enables applications to be deployed to or across any public or private cloud
• Enterprise image management allows customers to import, transform and deliver their server images to the cloud
• Enable enterprises to run business operations in the cloud helping migrate and extend both customer facing systems and internal operational platforms
5
What We Do Who We Are
Thursday, October 24, 13
copyright 2013
Even your mom knows about cloud
6
ComputeStorage
Network
PaaS
SaaS
IaaS Google
Thursday, October 24, 13
copyright 2013
Buzz word Bingo!• Overlay Networking - CohesiveFT term for NFV, 5+ years old• Network Function Virtualization (NFV) - new hotness
- Network independent from hardware runs in virtual layer- Isolation between the virtual network, physical network adn control plane- Programmatic networking provisioning and control
• Software Defined Networking (SDN) - Capital B Billion- Networks that can be configured through an API - OpenFlow (Nicira) pure view is separation of a
control plane from forwarding plane- What is managing the network vs what moves
the packets around the network
7
OpenFlow
SDN
NFV
@cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
(Network) Control is KingApplication-Centric SDN
• Help me run my business in the cloud NOW.
• Extends control of application owner from data center to cloud
Infrastructure SDN• Optimizes service provider
data center operations
ApplicationLayer
VirtualLayer
Layer 3
Layer 2
Layer 1
Layer 0
Layer 7
Layer 6
Layer 5
Layer 4
Limit of user access, control and visibility
Application O
wner
Clo
ud O
wne
r
Hardware Layer
VNS3
Alcatel
@cohesiveFT#LASCON
7Thursday, October 24, 13
copyright 2013 8
No security without NFV
Firewall
Dynamic & Scriptable SDNProtocol Redistributor
IPsec/SSL VPN concentrator
Router Switch
NFV
Hybrid virtual device able to
extend to multiple sites
Overlay Network Appliances • Allow control, mobility & agility by separating network location and network identity • Control over end to end encryption, IP addressing and network topology
Thursday, October 24, 13
copyright 2013
Defense in Depth
10
Cloud networks combine with user & provider firewalls and isolation features to create a “security lattice” with layers of security.Some key security elements must be controlled by the user but separate from the provider.
Provider Owned/Provider ControlledProvider Owned/User ControlledVNS3 - User Owned/User ControlledUser Owned/User Controlled
Thursday, October 24, 13
copyright 2013
Customer Data CenterCustomer Remote Office
VNS3 1
VNS3 2
VNS3 3
VNS3 Overlay NetworkSubnet: 172.31.0.0/22
Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F
Active IPsec Tunnel Active IPsec Tunnel
Failover IPsec Tunnel192.168.4.0/24 - 172.31.1.0/24192.168.3.0/24 - 172.31.1.0/24
Firewall / IPsec Cisco 5505
Firewall / IPsec Cisco 5585
Data Center ServerData Center ServerLAN IP: 192.168.4.50 LAN IP: 192.168.4.100User Workstation
LAN IP: 192.168.3.100User WorkstationLAN IP: 192.168.3.50
Chicago, IL USARemote Subnet: 192.168.3.0/24
London, UKRemote Subnet: 192.168.4.0/24
Public IP: 184.73.174.250Overlay IP: 172.31.1.250
Public IP: 54.246.224.156Overlay IP: 172.31.1.246
Public IP: 192.158.29.143Overlay IP: 172.31.1.242
Peered Peered
US East 1 US West
Overlay Networks allow federated and hybrid clouds
11Thursday, October 24, 13
copyright 2013
Cloud Players
12
@cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
Colo & Managed Hosting Locations
13
Locations as reported by providers @cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
Public Cloud Locations
14
Locations as reported by providers
Cloud
@cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
Economics of Distributed Computing Today
15
@cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
Compute locally or reach across the network to the public cloud?Jim Gray’s "Distributed Computing Economics" Updated for 2013
16
WANBandwidth/mo. CPU Hours (All Cores) Disk
Items in 2003Cost 2003
$1 buys in 2003
Item in 2008
Cost in 2008$1 buys in 2008
Cost/Performance Improvement
Cost to Rent $1 worth on AWS in 2008
Cost to Rent $1 worth on AWS in 2013
2008 to 2013 savings
1Mbps WAN Link 2 Ghz CPU, 2GB DRAM 200 GB (50MB/s)$100/mo. $2,000 $200
1GB 8 CPU hours 1GB
100 Mbps WAN link2 GHz, 2 socket, 4 cores/
socket, 4GB DRAM1TB disk, 115MB/sustained transfer
$3,600/mo. $1,000 $1002.7GB 128 CPU hours 10GB
2.7x 16x 10x
$0.27-$0.40 $2.56 $1.20-$1.50
$0.15-$0.36 $0.832 (m1.xlarge spot price x 16 hours)
$1 for EBS $0.95 for S3
10%-44% 67% 21%-33%[1] Jim Gray, Distributed Computing Economics (Redmond: Microsoft Research), 63–68. Available from: http://goo.gl/NvQ7OX.[2]Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy H. Katz, Andrew Konwinski, Gunho Lee, David A. Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia, Above the Clouds: A Berkeley View of Cloud (University of California, Berkeley: EECS Department), 12-14. Available from: http://goo.gl/veBurD.
1
1
1
2
2
2
2
Thursday, October 24, 13
copyright 2013
Traditional vs Cloud WANThere is plenty of cloud fluff, but the decision usually comes down to the following:
1. hardware refresh cycle2. project budget3. organizational expertise4. MBOs5. revenue targets6. job function/role
17
@cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
Traditional vs. Cloud WAN
18
@cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
Traditional WAN: Points of Presence
19
Step 1: Shop for real estate Step 2: Become an expert in facilitiesmanagement, A/C, construction, doorlocks, etc
Step 3: Hire a team of 24x7x365 security guards
-OR-Sign deals with Telco carriers
• Want more POPs?- Start again at step 1
source: DatacenterKnowledge.com
source: Google.com
Thursday, October 24, 13
copyright 2013
Cloud WAN: Points of Presence
20
Cloud
Step 1: Sign up for a cloud account Step 2: Enter credit card info Step 3: Configure & launch in the region of your choice
•Want more POPs? - Change your settings
Thursday, October 24, 13
copyright 2013
Traditional WAN: Network Kit
21
Step 1: Call your hardware vendor Step 2: Sign another contractStep 3: Hire staff to install, test andconnect new hardware in your data centers
-OR-Sign deals with Telco carriers
• Want more compute?- Prepare for budget shock, then start at 1
source: Cisco.com
source: Colourbox.com
Thursday, October 24, 13
copyright 2013
Cloud WAN: Network Capacity Step 1: Sign up for a cloud account Step 2: Enter credit card info Step 3: Configure & launch instances of your choice
•Want more compute capacity?- Add more VMs
22
Cloud
Thursday, October 24, 13
copyright 2013
Step 1: Shop for Telco carrier/vendors Step 2: Sales Cycle Step 3: Sign long-term, lock-inagreements with vendors
•Want more network capacity?- Call up your vendor’s sales team
Traditional WAN: Leased Lines
23
Leased lines
TelcoNetwork
Regional Office UK
LAN
USAHead Office
Firewall / IPsec
Data Center Server
LAN
Data Center
USA
Data Center Server
LAN
@cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
Cloud WAN: Network
24
Cloud
Step 1: Sign up for a cloud account Step 2: Enter credit card info Step 3: Configure & launch in the network of your choice
•Want more network capacity?- Change your settings
Thursday, October 24, 13
copyright 2013
Customer Use Cases
25
@cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
Connecting mobile banking customers to a common cloud-based infrastructure.
Highlights:
Online & mobile banking company needed connectivity solution to meet regulatory requirements.
Financial customers could use a "security lattice" approach, encrypting their critical data in motion
Enabled customer to serve end customers from a common platform.
Multitenancy model allowed customer to pass along cloud economies of scale.
Multi-tenant cloud-based partner network
26
Data Center Server
Encrypted IPsec Tunnels
Home Network USA
Firewall / IPsec
Customer Data Center 2
USA
Customer Data Center 1
UK
Data Center Server
VNS3
Virtual Machine
Mobile Banking Platform
Cloud Region A Cloud Region B Cloud Region C Cloud Region D
Data Center Server
Customer Data Center N
USA
Customer Data Center 3
UK
Data Center Server Data Center Server
Thursday, October 24, 13
copyright 2013
Security Firm extended offerings with global cloud points of presence.
Highlights:
Global reach for products and global redundancy for security.
Needed secure connections to existing data centers and networks.
Access critical infrastructure “in region” without delays or capital of physical resources.
Offered global redundancy at dramatically lower cost than traditional infrastructure.
Cloud WAN for global reach and redundancy
Data Center
Active IPsec Tunnels
Frankfurt, Germany
Firewall / IPsec
Data Center Server
Customer 2Tokyo, Japan
Workstations
APAC-1
Cloud W
AN
Peered
US East Coast
VNS3Manager
Peered
Customer 1New York USA
OfficeLondon, UK
Data Center Server Data Center Server
VNS3Manager
VNS3Manager
Netherlands
27Thursday, October 24, 13
copyright 2013
Cloud WAN connectivity without the expensive assets or contracts.
Highlights:
Global reach for products and global redundancy for security.
Needed secure connections to existing data centers and networks.
Access critical infrastructure “in region” without physical resources.
Offered global redundancy at dramatically lower cost.
Data Center
Active IPsec Tunnels
New York, USA
Firewall / IPsec
Data Center Server
Medical Office 2
San Francisco, USA
US-west-1
Cloud W
AN
Peered
VNS3Manager
Peered
Medical Office 1
CustomerHospitalBoston, USA
Data Center Server
VNS3Manager
VNS3Manager
US-east-1
Salt Lake City, USA
Private Cloud
SaaS portal SaaS portal
Pharmaceutical system federates infrastructure
28Thursday, October 24, 13
copyright 2013
Cloud WAN connectivity without the expensive assets or contracts.
Highlights:
Africa has over 700 million mobile phone users, but SMS is separated by provider
Customer needed to integrate multiple national carriers’ infrastructure on “virtual" LAN
Build new virtual infrastructure without the capital outlay and physical constraints
Overlay network and public cloud let them compete like a global, connected telco giant
Federated SMS Network Patchworks in Africa
29
Cloud W
AN
SMS Advertiser’s Platform
Data Center
Lagos, Nigeria
Firewall / IPsec
Data Center Server
Johannesburg, South Africa
Data Center Server
Vodafone Customer
Accra, Ghana
MTM Customer
Accra, Ghana
Nigeria Nigeria Ghana Uganda Uganda
Public CloudPublic Cloud
VNS3Manager
Thursday, October 24, 13
copyright 2013
My CloudWAN
30
@cohesiveFT#LASCON
Thursday, October 24, 13
copyright 2013
I am a CloudTelco
31Thursday, October 24, 13
copyright 2013
Coming Soon
32
@cohesiveFT#LASCON
Tin Can TelcoBig Brother and Telemarketers are not invited
source: charlespaolino.wordpress.com
Thursday, October 24, 13
copyright 2013
Questions?
CohesiveFT AmericasChicago, IL [email protected] 888.444.3962
CohesiveFT EuropeLondon, UK [email protected] +44 208 144 0156
33
cohesiveft.com/blogcloudcamp.org
Thursday, October 24, 13
copyright 2013
Appendix: VNS3 Technical Capabilities
34Thursday, October 24, 13
copyright 2013
Problem:
• Enterprise software uses multicast protocols for service election and service discovery.
• Many public cloud providers block multicast protocols at the user layer.
Cloud Address Control
VNS3 Solution:
• Control static addressing of your cloud servers
• Local Area Network (LAN) address extension to the cloud
• Servers and Topologies behave as though the are running locally
• Application centric network is portable
35
Customer Data Center
VNS3 Manager
Standard IPsec Tunnel
Firewall / IPsec Device
Data Center Servers
Overlay IP: 172.31.11.xx
Public CloudRegion 1
LAN
Cloud Server Cloud Server
Overlay Network
IP: 192.168.1.xx
@cohesiveFT #LASCON
Thursday, October 24, 13
copyright 2013
VNS3 Solution:
• Send multicast traffic via VNS3 overlay network before it is rejected by underlying network infrastructure.
• Control all your protocols with VNS3.
Problem:
• Enterprise software uses multicast protocols for service election and service discovery.
• Many public cloud providers block multicast protocols at the user layer.
Cloud Protocol Control: Multicast
Standard IPsec Tunnel
Public CloudRegion 1
Customer Data Center
Data Center Servers
LAN
Cloud Server Cloud Server
VNS3 Manager
Firewall / IPsec Device
Overlay Network
36
@cohesiveFT #LASCON
Thursday, October 24, 13
copyright 2013
Cloud Security Control: IPsec Tunneling
VNS3 Solution:
• Extend your network with industry standard IPsec.
• Use your existing network security appliances (Cisco, Juniper, Netscreen, SonicWall).
• Use your existing secure communication methods/practices the same as you currently connect offices, data centers or partners/customers.
Problem: Public Cloud is accessed via public internet.
Data Center
Standard IPsec Tunnel
Data Center Servers
Public CloudRegion 1
LAN
Cloud Server Cloud Server
VNS3 Manager
Firewall / IPsec Device
Overlay Network
37
@cohesiveFT #LASCON
Thursday, October 24, 13
copyright 2013
VNS3 Solution:
• VNS3 Manager enables multiple IPsec connections to a cloud-based overlay network segment.
• Serves as user-controlled, virtualized switch/router (uSwitch) inside the provider cloud.
• Cloud deployed servers can communicate with multiple IPsec gateways via endpoint-to-endpoint encrypted connections.
Cloud Security Control: Multiple IPsec
Problem: Cloud providers limit the number of IPsec connections.
Customer Site N
Standard IPsec Tunnel
Multiple IPsec Devices
Cloud Server
Public CloudRegion 1
Customer Site 2
Customer Site 1
Cloud Server
VNS3 Manager
Overlay Network
38
@cohesiveFT #LASCON
Thursday, October 24, 13
copyright 2013
Use Existing Monitoring Tools
VNS3 Solution:
• Use your existing monitoring tools for cloud deployments.
• VNS3 allows you to use your existing NOC to monitor and manage devices in the data center and the cloud.
Problem: Cloud deployments cannot be connected to existing network operations center.
Customer Data Center
Standard IPsec Tunnel
Data Center Servers
Virtual Network
Cloud Server
Public CloudRegion 1
Overlay Network
Data Center Servers
Cloud Server
VNS3 Manager
Firewall / IPsec Device
39
@cohesiveFT #LASCON
Thursday, October 24, 13
copyright 2013
Customer-Partner Networks in Public Cloud
VNS3 Solution:
• Industry standard secure connectivity to isolated servers in public cloud.
• Data in motion in the public cloud is encrypted.
Problem: Securely connect customers, partners or branches to specific servers in shared infrastructure.
Partner Data CenterEMEA
Customer 2USA
Customer 1APAC
Active IPsec Tunnels
Firewall / IPsec
Customer - Partner Network
Phsyical Data CenterPrivate Cloud ServerNode
Cloud Deployment
Public CloudRegion 1
VNS3 Manager
40
@cohesiveFT #LASCON
Thursday, October 24, 13
copyright 2013
VNS3 is a combination of 6 device types
Firewall
Dynamic & Scriptable SDN
Protocol Redistributor
IPsec/SSL VPN concentrator
Router Switch
VNS3
Hybrid virtual device able to
extend to multiple sites
Leading Application SDN (Software Defined Network) Appliance • Allows control, mobility & agility by separating network location and network identity • Control over end to end encryption, IP addressing and network topology
41Thursday, October 24, 13