Multicloud Networking: An Overview. Shannon McFarland CCIE #5245 Distinguished

Similar documents
Multicloud Networking Design & Deployment

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

Extending Enterprise Security to Multicloud and Public Cloud

Cisco SD-WAN. Securely connect any user to any application across any platform, all with a consistent user experience.

Cisco Group Encrypted Transport VPN

Advanced CSR Lab with High Availability and Transit VPC

LTRDCN-2100 Cloud networking solutions with Cisco Cloud Services Router (CSR 1000V) on AWS and Azure

Cisco Integrated Services Virtual Router

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Implementing and Configuring Cisco SDWAN (ICSDWAN-CT)

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

MCR Google Cloud Partner Interconnect

Fundamentals and Deployment of Cisco SD-WAN Duration: 3 Days (24 hours) Prerequisites

Cisco Virtual Managed Services

Cloud-Ready WAN For IAAS & SaaS With Cisco s Next- Gen SD-WAN

IWAN APIC-EM Application Cisco Intelligent WAN

Public Cloud Connection for R&E Network. Jin Tanaka APAN-JP/KDDI

Deploying Transit VPC for Amazon Web Services

Network Services. Elite IT Experts. About Us. ieofit.com/service

Cisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab

Deploying Cisco SD-WAN on AWS

Managing Site-to-Site VPNs: The Basics

AWS Networking & Hybrid Cloud Connectivity

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Cisco Cloud Services Router 1000v

Transit Network VPC. AWS Reference Deployment Guide. Last updated: May 10, Aviatrix Systems, Inc. 411 High Street Palo Alto, CA USA

Course Outline. Module 1: Microsoft Azure for AWS Experts Course Overview

Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

Managing Site-to-Site VPNs

Managing Site-to-Site VPNs: The Basics

Network Automation and Branch Agility The Network Helps Enable Digital Business. Rajinder Singh Product Sales Specialist June 2016

Cisco Multicloud Portfolio: Cloud Connect

SteelConnect. The Future of Networking is here. It s Application- Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

Cisco SD-WAN and DNA-C

Configuring Aviatrix Encryption

Best Practices for Extending the WAN into AWS (IaaS) with SD-WAN

Cisco CSR1000V Overview. Cisco CSR 1000V Use Cases in Amazon AWS

Cisco Multicloud Portfolio: Cloud Connect

Azure Compute. Azure Virtual Machines

Cisco SD-WAN. Intent-based networking for the branch and WAN. Carlos Infante PSS EN Spain March 2018

Microsoft Azure for AWS Experts

Enterprise SD-WAN Financial Profile (Hybrid WAN, Segmentation, Quality of Service, Centralized Policies)

QUESTION: 1 You have been asked to establish a design that will allow your company to migrate from a WAN service to a Layer 3 VPN service. In your des

RACKCONNECT GLOBAL PRODUCT DEEP DIVE:

Intelligent WAN Multiple VRFs Deployment Guide

40390: Microsoft Azure for AWS Experts

VMware Cloud on AWS. A Closer Look. Frank Denneman Senior Staff Architect Cloud Platform BU

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

Cisco Cloud Services Router 1000V and Amazon Web Services CASE STUDY

Cisco Multicloud Portfolio: Cloud Connect

Cisco Exam Questions & Answers

Deploying and Administering Cisco s Digital Network Architecture (DNA) and Intelligent WAN (IWAN) (DNADDC)

PREREQUISITES TARGET AUDIENCE. Length Days: 5

SteelConnect. The Future of Networking is here. It s Application-Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

SECURING THE MULTICLOUD

Hillstone IPSec VPN Solution

Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3: Why and How to Migrate to the Next Phase

Implementing Cisco IP Routing (ROUTE)

DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458

Agenda. This Session: Azure Networking Basics, On-prem connectivity options DEMO Create VNET/Gateway Cost-estimation for VNET/Gateways

CVP Enterprise Cisco SD-WAN Retail Profile (Hybrid WAN, Segmentation, Zone-Based Firewall, Quality of Service, and Centralized Policies)

SD-WAN on Cisco IOS XE Routers: An End-to-End View

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

Peering as a Cloud enabler for Enterprises

Cisco Multicloud Portfolio: Cloud Connect

Distributed Systems. 31. The Cloud: Infrastructure as a Service Paul Krzyzanowski. Rutgers University. Fall 2013

Security Considerations for Cloud Readiness

VeloCloud Cloud-Delivered WAN Fast. Simple. Secure. KUHN CONSULTING GmbH

Configuring High Availability

NGF0502 AWS Student Slides

Serviceability of SD-WAN

NGFWv & ASAv in Public Cloud (AWS & Azure)

Voice of the Customer First American Title SD-WAN Transformation

Optimizing the Usability of YANG Models for Network Automation

DMVPN for R&S CCIE Candidates

CCIE Routing & Switching

ARCHIVED DOCUMENT. - The topics in the document are now covered by more recent content.

A-B I N D E X. backbone networks, fault tolerance, 174

BUILDING AN ON-PREM APPLICATION-AWARE CLOUD

Deployment Scenarios

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

Zero To Hero CCIE CCNP

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

IWAN Security for Remote Site Direct Internet Access and Guest Wireless

Cisco CCNP ROUTE: Implementing Cisco IP Routing (ROUTE) 2.0. Upcoming Dates. Course Description. Course Outline

Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.)

Cisco IOS Software Release 15M&T Q&A

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Creating Your Virtual Data Center

Cross-Site Virtual Network Provisioning in Cloud and Fog Computing

aviatrix_docs Documentation

Secure Extensible Network. Solution and Technology Introduction

Cisco CloudCenter Use Case Summary

Delivering Cisco Next Generation SD-WAN with Viptela

Cloud Native Security. OpenShift Commons Briefing

Applications of SDN in Cisco

Cisco Implementing Cisco IP Routing v2.0 (ROUTE)

Transcription:

Multicloud Networking: An Overview Shannon McFarland CCIE #5245 Distinguished Engineer @eyepv6

Agenda Hybrid Cloud Networking vs Multicloud Networking - A Level Set Extending on-premises private cloud to public cloud Add more public clouds to the mix Automation challenges 2

Hybrid Cloud Networking vs Multicloud Networking A Level Set

Hybrid vs Multicloud Networking Hybrid Cloud Networking == Network transport from on-premises to a single public cloud provider Multicloud Networking == Network transport from on-premises to multiple public cloud providers and/or between multiple public cloud providers The technologies used can be identical for every connection or they can be per-provider, perregion, per-project, etc.. Common network transport ingredients for Hybrid and Multicloud: Encryption (IPsec/IKEv2/IKEv2, SSL, PKI) Routing (Static, BGP and with supported public cloud-hosted routers: OSPF, EIGRP) Tunneling (IPsec tunnel mode, GRE, mgre, MPLS, VPLS, VXLAN, L2TPv3, etc..) Common network endpoint options: Native VPN (IPsec over Internet) using public cloud provider services that connect to on-premises router/firewall Commercial/Open Source VPN platform hosted on the public cloud provider connecting to an on-premises router/firewall Colocation Peering: Service from public cloud provider to on-premises via a 3 rd party colo facility

Why Would You Use Multiple Cloud Providers? Cloud provider high availability M&A may dictate public cloud provider preference (for a time) Regional cloud provider access Feature disparity between providers, regions and/or services Per-project service requirements 5

Extending On-Premises Private Cloud to a Public Cloud

Public Cloud Provider Native VPN Services The Big Three Reference Amazon Web Services (AWS): VPN: http://docs.aws.amazon.com/amazonvpc/latest/userguide/vpn-connections.html Direct Connect: https://aws.amazon.com/directconnect/ Google Cloud Platform (GCP): VPN: https://cloud.google.com/compute/docs/vpn/overview Dedicated Interconnect: https://cloud.google.com/interconnect/ Microsoft Azure: VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/ ExpressRoute: https://azure.microsoft.com/en-us/services/expressroute/ OpenStack public cloud goodness: https://www.openstack.org/passport

Options IPsec-over-the-Internet or Dedicated Connections IPsec VPN + Internet VPC Network Private Network 10.138.0.0/20 Google Cloud VPN IPsec/IKEv2 172.16.0.0/24 BGP/OSPF/EIGRP On Premises Private Cloud Google Cloud Router Colocation VPC VPC Network Network 10.138.0.0/20 Google Cloud Router VPN Cloud Partner Interconnect Colocation Facility Private Network 172.16.0.0/24 BGP/OSPF/EIGRP On Premises Private Cloud 8

Starting Simple Public Cloud Provider Native IPsec VPN Service OpenStack VPC Network BGP AS65003 Enterprise Edge Data Center pod pod pod 10.138.0.0/20 Google Cloud VPN IPsec/IKEv2 VM VM VM VM VM VM HYPERVISOR BGP AS65000 Google Cloud Router Region: europe-west3 9

Add More On-Premises Stuff Public Cloud Provider Native IPsec VPN Service Enterprise Edge On-Premises Cloud 1 Private Network 192.168.100.0/24 VPC Network 10.138.0.0/20 BGP AS65000 Routes this side should see: 172.16.0.0/24 192.168.100.0/24 Google Cloud VPN Google Cloud Router BGP AS65002 BGP AS65003 BGP/OSPF/EIGRP BGP/OSPF/EIGRP Private Network 172.16.0.0/24 On-Premises Cloud 2 Routes this side should see: 10.138.0.0/20 10

On-Premises Physical/Virtual Public Cloud Provider Native IPsec VPN Service ASR 1000 Physical Router Private Network 192.168.yyy.0/24 VPC Network 10.138.0.0/20 Google Cloud VPN ASA Firewall Private Network 172.16.yyy.0/24 Google Cloud Router Physical Firewall 11

Add More Public Cloud Providers to the Mix

Stepping into Multicloud Networking Multiple Native IPsec VPN Services VPC Network Google Cloud VPN 10.138.0.0/20 Google Cloud Router IPsec/IKEv2 Private Network 172.16.0.0/24 BGP/OSPF/EIGRP VPC Network On-Premises Private Cloud 172.31.0.0/16 VPC Router VPN Gateway 13

Stepping into Multicloud Networking Multiple Native IPsec VPN Services VPC Network Google Cloud VPN 10.138.0.0/20 Google Cloud Router IPsec/IKEv2 Private Network 172.16.0.0/24 BGP/OSPF/EIGRP VPC Network 172.31.0.0/16 VPC Router VPN Gateway As the number of these connections increase and/or change frequently... You can see where this is going On-Premises Private Cloud 14

Moving Away From Native VPN Services What Conditions Cause a Change in Design? If on-premises routers/firewalls are behind NAT Check for provider support of NAT-T You need different IPsec/IKE configurations than what the provider offers You need to extend your on-premises IGP (OSPF/EIGRP) into the public cloud You need MPLS VPN QoS, specific network monitoring (IP SLA, NetFlow), Enterprise toolsets for configuration and monitoring Operational consistency 15

DMVPN Enable Dynamic Multicloud Networking Cisco DMVPN VNet Network 10.50.0.0/16 Cisco CSR1000v Spoke Hub Private Network 172.16.0.0/24 VPC Network 172.31.0.0/16 Cisco CSR1000v Spoke DMVPN IGP Support: OSPF, EIGRP, ibgp QoS Policies IP SLA, NetFlow NAT-T (Transparency) MPLS etc... On-Premises Private Cloud Cisco DMVPN: https://www.cisco.com/c/en/us/pr oducts/security/dynamicmultipoint-vpn-dmvpn/index.html 16

Cisco SD-WAN vmanage vbond vsmart VNet Network 10.50.0.0/16 vedge/cedge Private Network 172.16.0.0/24 vedge/cedge VPC Network 172.31.0.0/16 vedge/cedge SD-WAN On Premises Private Cloud Cisco SD-WAN: https://www.cisco.com/c/en/us/solutions/enterprisenetworks/sd-wan/index.html 17

Automation Challenges

Automating the Multicloud Network Challenges: Different toolsets for different jobs (Ansible, Python, Bash scripts, Terraform, etc..) Different toolsets for different clouds (Heat for OpenStack, CloudFormation for AWS, Deployment Manager for GCP, Azure Resource Manager) Different toolsets for different vendor products (Cisco NSO, Cloud Center, Prime, YANG development kit, etc..) There is no silver bullet - Start simple: Use what your team knows Perform a gap analysis on what you have against what you need Initially, automate the things that hurt a lot to do by hand and that change frequently I use free tools but that doesn t mean the process is free J I use public cloud clients (gcloud CLI, aws CLI, azure CLI) for services that don t change frequently or that need very unique/non-repeatable configurations I use public cloud provider automation tools (e.g., GCP Deployment Manager) for in-project work (new instances with new networks for a GCP-only project) I use REST for things that change a lot, especially if driven from another dashboard When you want to stop pulling your hair out, move to something that can front-end each API that you need to talk to and treat the environment as a whole Cisco CloudCenter: https://www.cisco.com/c/en/us/products/cloudsystems-management/cloudcenter/index.html

Summary Cisco Multicloud Solutions: https://www.cisco.com/c/en/us/solutions/cloud/multicloud-portfolio.html Public cloud native IPsec VPN support is good, but it is always point-to-point, does not have consistent support for NAT and lacks network-rich features DMVPN with Cisco CSR, ASR, ISR can greatly improve the deployment, HA, scalability and operations of the VPN connections If you have deployed or want to deploy an SD-WAN, adding in your public cloud sites into your overall SD-WAN design can reap many operational and cost benefits Multicloud between multiple public cloud providers and on-premises look like distinctly separate hybrid cloud deployments but.. You have to take into consideration: Team knowledge of public cloud operations, tools, automation Cross cloud tools and automation Diversity of network designs, protocols, security Multi-region designs Availability zones within and across providers 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback