Multicloud Networking: An Overview

Shannon McFarland CCIE #5245Distinguished Engineer@eyepv6

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Hybrid Cloud Networking vs Multicloud Networking - A Level Set

• Extending on-premises private cloud to public cloud

• Add more public clouds to the mix

• Automation challenges

Agenda

2

Hybrid Cloud Networking vs Multicloud Networking – A Level Set

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Hybrid Cloud Networking == Network transport from on-premises to a single public cloud provider

• Multicloud Networking == Network transport from on-premises to multiple public cloud providers and/or between multiple public cloud providers

• The technologies used can be identical for every connection or they can be per-provider, per-region, per-project, etc..

• Common network transport ingredients for Hybrid and Multicloud:• Encryption (IPsec/IKEv2/IKEv2, SSL, PKI)• Routing (Static, BGP and with supported public cloud-hosted routers: OSPF, EIGRP)• Tunneling (IPsec tunnel mode, GRE, mGRE, MPLS, VPLS, VXLAN, L2TPv3, etc..)

• Common network endpoint options:• Native VPN (IPsec over Internet) using public cloud provider services that connect to on-premises router/firewall• Commercial/Open Source VPN platform hosted on the public cloud provider connecting to an on-premises

router/firewall• Colocation Peering: Service from public cloud provider to on-premises via a 3rd party colo facility

Hybrid vs Multicloud Networking

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Cloud provider high availability• M&A may dictate public cloud provider preference (for a time)• Regional cloud provider access

• Feature disparity between providers, regions and/or services

• Per-project service requirements

Why Would You Use Multiple Cloud Providers?

5

Extending On-Premises Private Cloud to a Public Cloud

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Amazon Web Services (AWS):

• VPN: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html

• Direct Connect: https://aws.amazon.com/directconnect/

• Google Cloud Platform (GCP):

• VPN: https://cloud.google.com/compute/docs/vpn/overview

• Dedicated Interconnect: https://cloud.google.com/interconnect/

• Microsoft Azure:

• VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/

• ExpressRoute: https://azure.microsoft.com/en-us/services/expressroute/

• OpenStack public cloud goodness: https://www.openstack.org/passport

Public Cloud Provider Native VPN ServicesThe Big Three

Reference

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Options – IPsec-over-the-Internet or Dedicated Connections

8

Private Network172.16.0.0/24

VPC Network10.138.0.0/20

IPsec/IKEv2 BGP/OSPF/EIGRP

On Premises Private Cloud

Google Cloud VPN

Google Cloud Router

Private Network172.16.0.0/24

VPC Network10.138.0.0/20

BGP/OSPF/EIGRP

On Premises Private Cloud

Google Cloud VPN

VPC Network10.138.0.0/20

Google CloudRouter

Cloud Partner Interconnect

Colocation Facility

IPsec VPN + Internet

Colocation

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Starting SimplePublic Cloud Provider Native IPsec VPN Service

9

VPC Network10.138.0.0/20

IPsec/IKEv2Google Cloud VPN

Google Cloud Router

Region: europe-west3

BGP AS65000

BGP AS65003 Enterprise Edge

OpenStack

HYPERVISOR

VM VM VM

pod pod pod

VM VM VM

Data Center

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Add More On-Premises StuffPublic Cloud Provider Native IPsec VPN Service

VPC Network10.138.0.0/20

10

BGP AS65000 BGP AS65003

Routes this side should see:10.138.0.0/20

Private Network172.16.0.0/24

Private Network192.168.100.0/24

BGP AS65002

On-Premises Cloud 1

On-Premises Cloud 2Routes this side should see:172.16.0.0/24192.168.100.0/24

Google Cloud VPN

Google Cloud Router

BGP/OSPF/EIGRP

BGP/OSPF/EIGRP

Enterprise Edge

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

On-Premises Physical/Virtual Public Cloud Provider Native IPsec VPN Service

VPC Network10.138.0.0/20

11

Private Network172.16.yyy.0/24

Private Network192.168.yyy.0/24

Physical Router

Physical Firewall

Google Cloud VPN

Google Cloud Router

ASR 1000

ASA Firewall

Add More Public Cloud Providers to the Mix

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Stepping into Multicloud NetworkingMultiple Native IPsec VPN Services

Private Network172.16.0.0/24

VPC Network10.138.0.0/20

IPsec/IKEv2

13

BGP/OSPF/EIGRP

On-Premises Private Cloud

Google Cloud VPN

Google Cloud Router

VPC Network172.31.0.0/16

VPN Gateway

VPCRouter

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Stepping into Multicloud NetworkingMultiple Native IPsec VPN Services

Private Network

172.16.0.0/24

VPC Network

10.138.0.0/20

14

BGP/OSPF/EIGRP

On-Premises Private Cloud

Google Cloud VPN

Google Cloud Router

VPC Network

172.31.0.0/16

VPN Gateway

VPCRouter As the number of these connections

increase and/or change frequently...

You can see where this is going

IPsec/IKEv2

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

• If on-premises routers/firewalls are behind NAT – Check for provider support of NAT-T

• You need different IPsec/IKE configurations than what the provider offers

• You need to extend your on-premises IGP (OSPF/EIGRP) into the public cloud

• You need MPLS VPN

• QoS, specific network monitoring (IP SLA, NetFlow), Enterprise toolsets for configuration and monitoring

• Operational consistency

Moving Away From Native VPN ServicesWhat Conditions Cause a Change in Design?

15

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

DMVPN – Enable Dynamic Multicloud NetworkingCisco DMVPN

Private Network172.16.0.0/24

VNet Network10.50.0.0/16

DMVPN

16

On-Premises Private CloudVPC Network172.31.0.0/16

Cisco CSR1000v

Cisco CSR1000v

IGP Support: OSPF, EIGRP, iBGPQoS PoliciesIP SLA, NetFlowNAT-T (Transparency)MPLSetc...

Hub

Spoke

Spoke

Cisco DMVPN: https://www.cisco.com/c/en/us/products/security/dynamic-multipoint-vpn-dmvpn/index.html

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco SD-WAN

17

Private Network

172.16.0.0/24

VNet Network10.50.0.0/16

SD-WANOn Premises Private Cloud

VPC Network172.31.0.0/16

vEdge/cEdge

vEdge/cEdge

vEdge/cEdge

vManage vBond vSmart

Cisco SD-WAN: https://www.cisco.com/c/en/us/solutions/enterprise-networks/sd-wan/index.html

Automation Challenges

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Challenges:• Different toolsets for different jobs (Ansible, Python, Bash scripts, Terraform, etc..)• Different toolsets for different clouds (Heat for OpenStack, CloudFormation for AWS, Deployment Manager for

GCP, Azure Resource Manager)• Different toolsets for different vendor products (Cisco NSO, Cloud Center, Prime, YANG development kit, etc..)

• There is no silver bullet - Start simple:• Use what your team knows – Perform a gap analysis on what you have against what you need• Initially, automate the things that hurt a lot to do by hand and that change frequently – I use free tools but that

doesn’t mean the process is free J• I use public cloud clients (gcloud CLI, aws CLI, azure CLI) for services that don’t change frequently or that need very

unique/non-repeatable configurations• I use public cloud provider automation tools (e.g., GCP Deployment Manager) for in-project work (new instances with

new networks for a GCP-only project)• I use REST for things that change a lot, especially if driven from another dashboard

• When you want to stop pulling your hair out, move to something that can front-end each API that you need to talk to and treat the environment as a whole – Cisco CloudCenter: https://www.cisco.com/c/en/us/products/cloud-systems-management/cloudcenter/index.html

Automating the Multicloud Network

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Cisco Multicloud Solutions: https://www.cisco.com/c/en/us/solutions/cloud/multicloud-portfolio.html

• Public cloud native IPsec VPN support is good, but it is always point-to-point, does not have consistent support for

NAT and lacks network-rich features

• DMVPN with Cisco CSR, ASR, ISR can greatly improve the deployment, HA, scalability and operations of the VPN

connections

• If you have deployed or want to deploy an SD-WAN, adding in your public cloud sites into your overall SD-WAN

design can reap many operational and cost benefits

• Multicloud between multiple public cloud providers and on-premises look like distinctly separate hybrid cloud

deployments but..

• You have to take into consideration:

• Team knowledge of public cloud operations, tools, automation

• Cross cloud tools and automation

• Diversity of network designs, protocols, security

• Multi-region designs

• Availability zones within and across providers

Summary

20