(net208) enable & secure your business apps via the hybrid cloud on aws
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
October, 2015
NET208
Enable and Secure Your
Business Applications via the
Hybrid Cloud in AWSShishir Agrawal - Juniper NetworksSr. Manager, Product Management, [email protected]
Ariful Huq – Juniper NetworksSr. Manager, Product Management, [email protected]
What to Expect from the Session
• Trends and challenges in migrating to hybrid cloud
• Learn about solutions to address these challenges
• Routing capabilities between public cloud instances
• Secure transport to the public cloud
• Security against advanced threats and staying compliant
• Demo on how to address these challenges in AWS
and a do-it-yourself solution
For your 60 minutes
91%70
%
Nearly 70% of enterprises
will pursue the hybrid cloud
by 2015**
91% of net new software
was built for cloud delivery
in 2014***
The cloud is changing the way enterprises work and transforming
the way IT and business processes are delivered.
2017
25% CAGR
28% CAGR
24% CAGRPrivate
Cloud
IaaS/PaaS
SaaS/BPaaS
Cloud Market Opportunity*
25% CAGR through 2017
By 2017, cloud
spend will be
$392B
*Source: IBM Market Insights, 1H 2014
**Source Gartner, p.6, Private Cloud Matters, Hybrid Cloud is Next, Gartner G00255302, Sept 6, 2013
***Source: IDC Directions, “How SaaS Gets Built” Doc # DR2014_T3_RM March 2014
Cloud statistics
Cloud inhibitors
.7
1.3
16.7
18.7
21.3
22.7
24.0
26.0
27.3
28.0
28.0
30.0
41.3
Other
None
Lack of tools to…
Current network…
Cloud cannot support…
Reduced…
Will cost too much to…
Hard to integrate with…
Reliability concerns:…
Dependency on…
Lock-in to a single…
IT governance issues
Security concerns
Employee size 100-999…
4
4.6
17.2
17.9
18.5
18.5
22.5
26.5
28.5
29.1
31.8
34.4
48.3
Other
None
Lack of tools to…
Reduced…
Expensive
Limitation of current…
Not suitable for…
Hard to integrate with…
Service provider lock-…
Dependency on…
IT governance…
Reliability concerns:…
Security concerns
Employee size 1000+ (N=151)
Q. Which does your organization consider the most IMPORTANT INHIBITORS to your organization's increased
usage of cloud services?
N=301
Base: All respondents
Source: IDC’s Multi-Client Report: Enterprise Cloud Connect, 2015
Key Inhibitors: Security, Reliability, & IT governance
Business edge & enterprise networks evolving
• Applications & workloads shifting to public cloud providers such as
AWS. This shift requires:
• Secure transport to the public cloud
• Secure perimeter gateway providing same next-gen firewall capabilities as
on-premises solutions
• Routing capabilities between public cloud instances in case of geo-
redundancy
Trends
Enabling public cloud migration
Customer Challenges
CE
Provider
MPLS
NetworkInternet
PE PE
PE PE
Amazon PE Amazon PE
Scalable Secure Transport with full mesh capabilities from multiple
enterprise locations to public cloud instance
Routing between VPC instances across AWS regions for geo-
redundancy and high availability
Operational consistency between on-premises and cloud gateway
Redundant gateway for high availability within an AWS region
Visibility, Analytics, and Troubleshooting capabilities of the cloud
gateway
VPC instanceVPC instance
AWS Region A AWS Region B
Ensure Quality of Service for specific types of traffic
Direct-Connect
Enabling public cloud migrationSolution: Scale-Out Virtual Router in the VPC
Virtual Private Cloud
Availability ZoneAvailability Zone
VPC Subnet VPC Subnet
Customer Gateway
Customer Network
New York
VPN
Router Virtual Private Gateway
Customer Gateway
Customer Network
Chicago
VPN
Customer Gateway
Customer Network
Los Angeles
VPN
Utilize a scale-out virtual router instead
To remediate the challenges
highlighted we augment a VPC
deployment with a Scale-Out
Carrier Class Virtual Router
Enabling public cloud migrationSolution: Scale-Out Virtual Router in the VPC
CE
Provider MPLS
NetworkInternet
PE PE
PE PE
Amazon PE Amazon PE
Scalable Secure Transport with full mesh capabilities from
multiple enterprise locations to public cloud instance :
Utilize IPSec VPN for any-to-any connectivity with
scalable tunnel count and throughput capabilities.
Operational consistency between on-premises gateway
and cloud gateway : Carrier class operating system
(JUNOS) with rich routing stack, automation
capabilities (Chef, Puppet, Ansible, PyEz) and
analytics (IPFIX, JFLOW)
VPC instanceVPC instance
AWS Region A AWS Region B
IPSec VPN
Direct-Connect
Virtual Router Virtual Router
Enabling public cloud migrationSolution: Scale-Out Virtual Router in the VPC
CE
Provider MPLS
NetworkInternet
PE PE
PE PE
Amazon PE Amazon PE
VPC instanceVPC instance
AWS Region A AWS Region B
VXLAN over
IPSec
Routing between VPC instances across AWS regions and
Enterprise locations for high availability: Dynamic routing
(BGP) with Overlay Tunneling (VXLAN) capabilities
creates seamless connectivity across all endpoints.
Redundant gateway for high availability within an AWS
region : Instantiate multiple instances of the scale-out
virtual routing platform within a VPC instance to
create redundant topologies. Use technologies such
as BFD for end-to-end liveliness detection.
Direct-Connect
Virtual Routers Virtual Routers
vMX-A
VPC
Internet
Gateway
vMX-B
EC2
Instances
VPC
Router
Public Subnet Private Subnet
Internet VPN
Tunnels
Route
Table
Enabling public cloud migrationDeployment Scenario: Virtual Router as a Virtual Private Cloud (VPC) Gateway
Security: specific areas of concerns
11N=135
Base: Respondents citing “security” as an important cloud inhibitor
Source: IDC’s Multi-Client Report: Enterprise Cloud Connect, 2015
What are the specific inhibitors to your organization's increased usage of cloud services?
21%
24%
25%
29%
33%
39%
59%
67%
Lack of visibility into cloud provider's…
Shadow/rogue IT usage
Job security for IT staff
Denial of Service attacks
Legal and regulatory compliance
Unauthorized data access by cloud provider
Security breach of the cloud provider's…
Data protection
Total (N=135)
Data Protection, Security, and Compliance are Key Concerns
Secure migration to AWS hybrid cloud
Use Cases
Customer Challenges
Migration of IT
Services
SaaS/Cloud
Bursting
Desktop as a
Service
Advanced Threat
Protection
Full-mesh secure
connectivity
Preserve IT
compliance
Leverage existing
solutions
Seamless migration
experience
Solution: migration of IT services
AWS
VPC-DevVPC-Prod
US-West US-East
On-Prem
DCDevProd
Policy A Policy B
Policy APolicy B
Full-mesh secure connectivity – IPSec VPN
Preserve IT compliance –policy migration
Leverage existing solutions – physical or virtual firewall
Seamless migration experience –management & automation
Solution: SaaS/cloud bursting
AWS
VPC-DevVPC-Prod
US-West US-East
On-Premises
DCDevProd
Policy A Policy B
Policy APolicy B
“Outside-in” Advanced Threat Protection – IPS, security intelligence, advanced anti-malware
Open security intelligence platform
Customer-provided or
Third-Party Threat Data
Command & Control, GeoIP,
Additional Intelligence
Local Appliance
or Service
1
2
3
45
Firewall
Aggregated & optimized cloud-based threat intelligence1
Provide threat intelligence to customer premise2
Local/Customer data incorporated into solution3
Central management4
Intelligence distributed to firewall enforcement points5
Threat Intelligence
Cloud
Central Mgmt
A framework that uses information frommultiple sources to deliver improved security
6
Router/Switch
Intelligence distributed to router/switch enforcement points6
Advanced anti-malware cloud service
Advanced Anti-malware Cloud Service
Malware Inspection Pipeline
Cache Static AnalysisDynamic
Analysis
Internal Compromise Detection
Identified
Malware
C&C
EventsAnalytics
Web-based Service Portal
Licensing ReportingConfig & Mgmt
Feed Analysis & Efficacy
C&C GeoIP CustomKnown C&C Servers
Content (File)
Extraction
Fast Verdicts for
In-line Blocking
Threat Intel Events
(C&C “Hits”)
Firewall
Quarantine
Compromised
Systems
Solution: Desktop as a Service (DaaS)
AWS
On-Premises DC
“Inside-out” Advanced Threat Protection –Application Visibility & Control, User ID, UnifiedThreat Management
Application visibility and control
Ingress Egress
App Tracking Understand security risks
Address new user behavior
App Firewall Block access to risky apps
Allow user-tailored policies
App QoS Prioritize important apps
Rate-limit less important apps
SSL Proxy SSL packet inspection
IPS Block security threats
• Heuristics for evasive and tunneled apps
• More application signatures
• Open signature language
Virtual firewall: enable secure migration to AWS
Foundation
Next Generation
Firewall Services
Firewall VPN NAT Routing
Application Control
User-based Firewall
Unified Threat
Management
Anti-virus
Intrusion Prevention Web/Content Filtering
Anti-malware
Security Intelligence
Command & Control
GeoIP Feeds
Custom Feeds
Management Reporting Analytics Automation
Core firewall features
Advanced security services
a
IPSec VPNIPSec VPN
Providing protection
and connectivity to
customer hosted VMs
Other VMWeb VMAPPVM
DBVM
Cloud Hosting Environment:
Customer 1
Other VMWeb VMAPPVM
DBVM
vSRX
Customer Premise 1
Customer Premise 3
Customer Premise 4
Customer Premise 2
CUSTOMER
1
CUSTOMER 3
CUSTOMER 4
CUSTOMER 2
Public
Cloud
Public
Cloud
Expedient: cloud hosting provider use case
Copyright © 2015 Juniper Networks, Inc.
vSRX
dedicated
to
Customer 1
Call to action
• vSRX – Juniper virtual firewall
• vMX – Juniper virtual router
• Download a 30-day free trial of vMX with complete routing stack:
http://www.juniper.net/support/downloads/?p=vmx#sw
• Download vSRX 60-day trial including advanced security services:
• http://www.juniper.net/us/en/dm/free-vsrx-trial/
• vSRX on AWS expected to ship in the next few months
• vMX on AWS expected to ship in the next few months
• Stop by Juniper booth #403 to see demo of vSRX and vMX on AWS
Demo
Thank you!
Remember to complete
your evaluations!