ua hybrid cloud - internet2
TRANSCRIPT
UA HYBRID CLOUDOPTIMIZING MULTI-CLOUD CONNECTIVITY
SECURE/FLEXIBLE INTEGRATIONS FOR CAMPUS
INTRO
Jason SullivanNetwork Security Architect @ UITS
CCIE #60763
CCDPCCNP x2AWS Network SpecialistAWS Associate Architect
AGENDA
o Define basic network constructs of IaaS (AWS/Azure)
o IaaS Networking basics
o UA's Simple beginnings
o Policy/Route/Transito East/West performance considerations
o Multi-Cloud integration
o TGW
o Converged Cloudo DC integration/remote sites
AWS/AZURE NETWORK STACK
¡ AWS Network
VPC (Virtual Private Cloud)
Subnets
Route-Table
CGW (Customer Gateway)
VGW (Virtual Gateway)
Route Propagation
TGW (Transit Gateway)
VPC-Peering
Direct-Connect
¡ Azure Network
Resource Group
VNet (Virtual Networks)
Subnets (Gateway Subnet)
VNetGW (Virtual Network Gateway)
LNG (Local Network Gateway)
Connection
Public IP address
Route Table (optional)
Express-Route
SUBNETS/ROUTING
ROUTE-TABLES AS SECURITY BOUNDARY;
IGW (PUBLIC)ENI (PUBLIC)
NAT-GW (PRIVATE)NAT-GW/TGW (PRIVATE)
nat-id
tgw-id
Policy-Based VPN• Unidirectional Security Associations
Route-Based
DC-A DC-BLo:200.2.2.2/32 (WAN)Lo0:100.1.1.1/32 (WAN)
WAN 1.1.1.1BGP Peer: 1
WAN 2.2.2.2BGP Peer: 2
WAN 1.1.1.1BGP Peer: 3
WAN 2.2.2.2BGP Peer: 4
Campus Networks
Tunnel xxaddr x.x.1.1/30Src Lo0Dst 1.1.1.1
Tunnel yyaddr x.x.1.5/30
Src Lo0Dst 2.2.2.2
Lo0:200.2.2.2/32 (WAN)
Tunnel xxaddr x.x.2.1/30Src Lo0Dst 1.1.1.1
Tunnel yyaddr x.x.2.5/30
Src Lo0Dst 2.2.2.2
CGW (ROUTED) VGW SITE-TO-SITE
S2S VPN TUNNEL DETAILS
ROUTE PROPAGATION
¡ Dynamic/Static Route Installation
¡ VPC routing selection/rules
WHAT IS A TGW
Transit Gateway
-Routing Table (multiple routing tables)-Logical Attachments (receive/inject routes)-RAM (resource access manager)-ACT/ACT (ECMP) BGP paths-Deprecates need for Transit VPC
AZURE NETWORKING (CONNECTIVITY) COMPONENTS
AZURE RESOURCE MANAGERhttps://resources.azure.com/
INITIAL INTEGRATION (POLICY VPN)
• S2S configuration (Vendor specific)
• Inflexible after instantiation
• Fault Tolerance considerations
• Almost everyone starts here
SECURITY APPLIANCE BENEFITS/LIMITATION
¡ Security appliance benefits;
¡ Crypto performance
¡ General placement/availability
¡ Easy of deployment
¡ Policy enforcement
¡ Security appliance limitations;
¡ Virtual Tunnels (required for routing)
¡ VRF (virtual routing forwarding)
¡ MPLS
¡ Cost
vs.
ROUTE BASED VPN (2ND ATTEMPT)
BGP Peers 1-2
BGP Peers 3-4
HEADEND PEERING –HUB/SPOKE DESIGN
EAST/WEST VPC COMMUNICATION
UA
On-Prem A
On-Prem B
UA
On-Prem A
On-Prem B
TRANSIT VPC
Azure
DIRECT HEADEND PEERING INTO AN ISOLATED ROUTING CONTEXT• Minimal East/West connectivity
• Segmentation (MPLS/VPNV4 enabled campus)
• Multiple VGWs are not cost effective
Clear Text
MPLS CAMPUS FABRIC
UA College A
UA College B
UA College C
DEPT/MPLS FW
TGW ANNOUNCEMENTInitial Release @ Re:Invent 2018 (Nov)
TGW (CURRENT/LATEST ITERATION OF HYBRID CLOUD)
UA
TGW THROUGHPUT SCALING
(6) 1.25Gb = 7.5Gb/sec
TGW PERFORMANCE (EAST/WEST INTRA-VPC)
TGWRTR-PRIV RTR-PRIVC5N-4XL C5N-4XL
50Gb/sec 50Gb/sec
VPC-Peering TGW
PERFORMANCE VIA TGW ~25GB/SEC
Azure (originator)
CSR (transit)
AWS TWG (last-as)CMD executed via AS65202 AS65515
AS65212
AS64514
AS65202
TGW MULTI-CLOUD CSR (PEERS/NAT)
TRANSIT VPC/CSR SECURITY ANALYTICS
BRO/ZEEK/SNORT
MIRROR DELIVERED VIA ENCAP
SEC TOOL OVERHEAD ~300PPS
8Core system
BRO/ZEEK/SNORT
SECURITY ANALYTICS VIA BRO
SECURITY ANALYTICS VIA SNORT
REMOTE SITE CENTRAL CLOUD FIREWALL
Spoke Site(s)
Campus
IaaS (AWS/AZR)
IPsec/MPLS
Campus Routes (I
Psec/MPLS)
0.0.0.0/0
NGFW/Policy
(SPOKE) DECOUPLED DFT GATEWAY
Crypto VTI used for VXLAN underlay /30
gateway –same subnet
CISCO ACI ANYWHERE (MSO)
Common policy between on-prem and cloud
ACCELERATED SITE-TO-SITE VPN (VIA TGW ATTACHED)
ISP-AISP-B
Local-ISP
Local-ISP
AWS Global Net
OnPrem
Closest edge location
ISP-C
TGW ONLY
VPC INGRESS ROUTING