Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
Multicloud Networking: An Overview
Shannon McFarland CCIE #5245Distinguished Engineer@eyepv6
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Hybrid Cloud Networking vs Multicloud Networking - A Level Set
• Extending on-premises private cloud to public cloud
• Add more public clouds to the mix
• Automation challenges
Agenda
2
Hybrid Cloud Networking vs Multicloud Networking – A Level Set
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Hybrid Cloud Networking == Network transport from on-premises to a single public cloud provider
• Multicloud Networking == Network transport from on-premises to multiple public cloud providers and/or between multiple public cloud providers
• The technologies used can be identical for every connection or they can be per-provider, per-region, per-project, etc..
• Common network transport ingredients for Hybrid and Multicloud:• Encryption (IPsec/IKEv2/IKEv2, SSL, PKI)• Routing (Static, BGP and with supported public cloud-hosted routers: OSPF, EIGRP)• Tunneling (IPsec tunnel mode, GRE, mGRE, MPLS, VPLS, VXLAN, L2TPv3, etc..)
• Common network endpoint options:• Native VPN (IPsec over Internet) using public cloud provider services that connect to on-premises router/firewall• Commercial/Open Source VPN platform hosted on the public cloud provider connecting to an on-premises
router/firewall• Colocation Peering: Service from public cloud provider to on-premises via a 3rd party colo facility
Hybrid vs Multicloud Networking
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Cloud provider high availability• M&A may dictate public cloud provider preference (for a time)• Regional cloud provider access
• Feature disparity between providers, regions and/or services
• Per-project service requirements
Why Would You Use Multiple Cloud Providers?
5
Extending On-Premises Private Cloud to a Public Cloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Amazon Web Services (AWS):
• VPN: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html
• Direct Connect: https://aws.amazon.com/directconnect/
• Google Cloud Platform (GCP):
• VPN: https://cloud.google.com/compute/docs/vpn/overview
• Dedicated Interconnect: https://cloud.google.com/interconnect/
• Microsoft Azure:
• VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/
• ExpressRoute: https://azure.microsoft.com/en-us/services/expressroute/
• OpenStack public cloud goodness: https://www.openstack.org/passport
Public Cloud Provider Native VPN ServicesThe Big Three
Reference
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Options – IPsec-over-the-Internet or Dedicated Connections
8
Private Network172.16.0.0/24
VPC Network10.138.0.0/20
IPsec/IKEv2 BGP/OSPF/EIGRP
On Premises Private Cloud
Google Cloud VPN
Google Cloud Router
Private Network172.16.0.0/24
VPC Network10.138.0.0/20
BGP/OSPF/EIGRP
On Premises Private Cloud
Google Cloud VPN
VPC Network10.138.0.0/20
Google CloudRouter
Cloud Partner Interconnect
Colocation Facility
IPsec VPN + Internet
Colocation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Starting SimplePublic Cloud Provider Native IPsec VPN Service
9
VPC Network10.138.0.0/20
IPsec/IKEv2Google Cloud VPN
Google Cloud Router
Region: europe-west3
BGP AS65000
BGP AS65003 Enterprise Edge
OpenStack
HYPERVISOR
VM VM VM
pod pod pod
VM VM VM
Data Center
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add More On-Premises StuffPublic Cloud Provider Native IPsec VPN Service
VPC Network10.138.0.0/20
10
BGP AS65000 BGP AS65003
Routes this side should see:10.138.0.0/20
Private Network172.16.0.0/24
Private Network192.168.100.0/24
BGP AS65002
On-Premises Cloud 1
On-Premises Cloud 2Routes this side should see:172.16.0.0/24192.168.100.0/24
Google Cloud VPN
Google Cloud Router
BGP/OSPF/EIGRP
BGP/OSPF/EIGRP
Enterprise Edge
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
On-Premises Physical/Virtual Public Cloud Provider Native IPsec VPN Service
VPC Network10.138.0.0/20
11
Private Network172.16.yyy.0/24
Private Network192.168.yyy.0/24
Physical Router
Physical Firewall
Google Cloud VPN
Google Cloud Router
ASR 1000
ASA Firewall
Add More Public Cloud Providers to the Mix
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stepping into Multicloud NetworkingMultiple Native IPsec VPN Services
Private Network172.16.0.0/24
VPC Network10.138.0.0/20
IPsec/IKEv2
13
BGP/OSPF/EIGRP
On-Premises Private Cloud
Google Cloud VPN
Google Cloud Router
VPC Network172.31.0.0/16
VPN Gateway
VPCRouter
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stepping into Multicloud NetworkingMultiple Native IPsec VPN Services
Private Network
172.16.0.0/24
VPC Network
10.138.0.0/20
14
BGP/OSPF/EIGRP
On-Premises Private Cloud
Google Cloud VPN
Google Cloud Router
VPC Network
172.31.0.0/16
VPN Gateway
VPCRouter As the number of these connections
increase and/or change frequently...
You can see where this is going
IPsec/IKEv2
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• If on-premises routers/firewalls are behind NAT – Check for provider support of NAT-T
• You need different IPsec/IKE configurations than what the provider offers
• You need to extend your on-premises IGP (OSPF/EIGRP) into the public cloud
• You need MPLS VPN
• QoS, specific network monitoring (IP SLA, NetFlow), Enterprise toolsets for configuration and monitoring
• Operational consistency
Moving Away From Native VPN ServicesWhat Conditions Cause a Change in Design?
15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN – Enable Dynamic Multicloud NetworkingCisco DMVPN
Private Network172.16.0.0/24
VNet Network10.50.0.0/16
DMVPN
16
On-Premises Private CloudVPC Network172.31.0.0/16
Cisco CSR1000v
Cisco CSR1000v
IGP Support: OSPF, EIGRP, iBGPQoS PoliciesIP SLA, NetFlowNAT-T (Transparency)MPLSetc...
Hub
Spoke
Spoke
Cisco DMVPN: https://www.cisco.com/c/en/us/products/security/dynamic-multipoint-vpn-dmvpn/index.html
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN
17
Private Network
172.16.0.0/24
VNet Network10.50.0.0/16
SD-WANOn Premises Private Cloud
VPC Network172.31.0.0/16
vEdge/cEdge
vEdge/cEdge
vEdge/cEdge
vManage vBond vSmart
Cisco SD-WAN: https://www.cisco.com/c/en/us/solutions/enterprise-networks/sd-wan/index.html
Automation Challenges
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Challenges:• Different toolsets for different jobs (Ansible, Python, Bash scripts, Terraform, etc..)• Different toolsets for different clouds (Heat for OpenStack, CloudFormation for AWS, Deployment Manager for
GCP, Azure Resource Manager)• Different toolsets for different vendor products (Cisco NSO, Cloud Center, Prime, YANG development kit, etc..)
• There is no silver bullet - Start simple:• Use what your team knows – Perform a gap analysis on what you have against what you need• Initially, automate the things that hurt a lot to do by hand and that change frequently – I use free tools but that
doesn’t mean the process is free J• I use public cloud clients (gcloud CLI, aws CLI, azure CLI) for services that don’t change frequently or that need very
unique/non-repeatable configurations• I use public cloud provider automation tools (e.g., GCP Deployment Manager) for in-project work (new instances with
new networks for a GCP-only project)• I use REST for things that change a lot, especially if driven from another dashboard
• When you want to stop pulling your hair out, move to something that can front-end each API that you need to talk to and treat the environment as a whole – Cisco CloudCenter: https://www.cisco.com/c/en/us/products/cloud-systems-management/cloudcenter/index.html
Automating the Multicloud Network
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Cisco Multicloud Solutions: https://www.cisco.com/c/en/us/solutions/cloud/multicloud-portfolio.html
• Public cloud native IPsec VPN support is good, but it is always point-to-point, does not have consistent support for
NAT and lacks network-rich features
• DMVPN with Cisco CSR, ASR, ISR can greatly improve the deployment, HA, scalability and operations of the VPN
connections
• If you have deployed or want to deploy an SD-WAN, adding in your public cloud sites into your overall SD-WAN
design can reap many operational and cost benefits
• Multicloud between multiple public cloud providers and on-premises look like distinctly separate hybrid cloud
deployments but..
• You have to take into consideration:
• Team knowledge of public cloud operations, tools, automation
• Cross cloud tools and automation
• Diversity of network designs, protocols, security
• Multi-region designs
• Availability zones within and across providers
Summary
20