A key component of Cisco hybrid cloud portfolio is Cloud Connect. In this session, we review how Cloud Connect solutions can securely extend your private networks into the AWS Cloud and ensure the application experience. The products we cover include the CSR1000v and vEdge with Umbrella integration. This session is brought to you by AWS Partner, Cisco.
Come costruire un'architettura Serverless nel Cloud AWS
DEM08 Use Cisco Cloud Connect to Securely Extend Private Network to AWS and Maintain User Experience
1. Liad Ofek
Director, Product management
Cloud and Virtualization
Networking Business Unit
January 2018
Cisco Hybrid cloud :
Cloud Connect
2. It’s a Hybrid cloud
world
Source: IDC CloudView, April, 2017, n=8,293 worldwide respondents, weighted by country, company size and industry
Evaluating or using
public cloud
85%
Taken steps towards a
hybrid cloud strategy
87%
Plan to use
multiple clouds
94%
Among cloud users
3. Hybrid cloud Complexity Challenges
“I need to…”
FRAGMENTED
COMPLEX
NO DATA CONTROL
“…securely extend
private networks to
public clouds”
“…define and
execute my cloud
first strategy”
“…protect my cloud
applications, endpoints,
and data”
“…migrate to cloud
and manage the
full application
lifecycle”
4. Cloud Adoption Journey-Key Activities
& Pain Points
FRAGMENTED
COMPLEX
NO DATA CONTROL
SaaS
SaaS
SaaS
SaaS
SaaS
SaaS
SaaS
Other
Public
Clouds
IaaS
AWS
PaaS
SaaS
PrivatePrivate
8. Cisco Cloud Portfolio — Implementation
▪ Faster
implementation and
time to value
▪ Lower risk
▪ Lower cost
Design and
Deployment
Guides
Hybrid Cloud
Portfolio
Cloud
Connect
Cloud
Protect
Cloud
Advisory
Cloud
Consume
• Best practices
• Integrated design
• Detailed implementation
steps
9. Cloud Connectivity Challenges
On-Prem Datacenters
Remote Branches
Public Cloud
• Complexity & Dependency – Need
a simple and scalable way to
securely extend the private
network across cloud
environments
• Inconsistent security policies
between private & public- Need to
apply consistent security policies
• Performance and ambiguity for
best path to reach the cloud –
Need enhance application
experience
Applications
Users
Cloud
Connect
10. Enterprise DC
ASR1K
Branch
ISR4K
Cloud Connect – CSR 1000V
Securely extend the private
network to the cloud from
the Branch and DC with CSR1000v
Extend routing to multi-VPC
environment with CSR100v in
Transit VPC
Maintain application experience
with QoS and AVC
CSR1000v
CSR1000v
CSR1000v
VPC
VPC
VPC
VPC
VPC
11. Enterprise DC
ASR1K
Branch
Cloud Connect w/vEdge Cloud
vEdge Cloud
vEdgevEdge
Internet
Direct Cloud connectivity from a
Branch with vEdge to vEdge Cloud
Extend routing to multi-VPC
environment with vEdgeTransit VPC
Extend Cisco SD-WAN fabric to the cloud
VPC
VPC
VPC
VPC
VPC
12. Branch Enterprise DC
ASR1K
Cloud Connect - vEdge and Umbrella
vEdge Cloud
vEdgevEdge
Protecting your branch office users
directly to your multi-cloud environment
leveraging direct internet access(DIA),
using vEdge and secure internet gateway
(Umbrella)
VPC
VPC
VPC
VPC
VPC
InternetUmbrella
14. Cisco Cloud Services Router (CSR) 1000V
Cisco IOS XE Software in a Virtual Appliance Form-Factor
Enterprise-class Networking with Rapid
Deployment and Flexibility
Server
Hypervisor
Virtual Switch
OS
App
OS
App
CSR 1000V
Software
• Familiar IOS XE software with ASR1000 and ISR4000
Infrastructure Agnostic
• Runs on x86 platforms
• Supported Hypervisors: VMware ESXi, Linux KVM, Citrix Xen, Microsoft
Hyper-V, Cisco NFVIS and CSP2100
• Supported Cloud Platforms: Amazon AWS, Microsoft Azure, Google
Cloud Platform (Q3CY18), AliCloud
Performance Elasticity
• Available licenses range from 10 Mbps to 10 Gbps
• CPU footprint ranges from 1vCPU to 8vCPU
License Options
• Term based 1 year, 3 year or 5 year
• Smart License enabled
Programmability
• NetConf/Yang, RESTConf, Guest Shell and SSH/Telnet
14
15. Q: Where can I find the CSR on AWS?
A: In the AWS marketplace!
1. Search for “Cisco”
2. Pick a flavor
15
16. Two deployment models
VPC
Application VPC Gateway
• CSR deployed in application VPC
• Provide IPSEC gateway for entire VPC
• Need high availability
Transit Hub Router
• CSR deployed in dedicated Transit Hub,
not in application VPC
• High speed traffic routing for spoke VPC
• High availability is built-in natively
Transit Hub
AZ1 AZ2
Application VPC
VPC
16
17. CSR Cloud High Availability
• No virtual IP as with HSRP, since
AWS doesn’t allow multicast
• BFD over GRE tunnel is enabled
between two CSRs to detect failure
• AWS Route Tables for app subnets
are re-pointed to surviving CSR
• Failure detection is automatic
• CSR itself calls AWS API to adjust
AWS Route Table routes
• Sub-second failover
VPC
CSR
Subnet
App
Subnet A
App
Subnet B
Before HA Failover
After HA Failover
AWS REST API
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws/b_csraws_chapter_0100.html
BFD
17
18. Public Cloud Transit Routing Challenge
• No transit routing capability
• Don’t support across region peering
A-B Peering
B-C Peering
Transit Routing NOT supported
A-to-C-thru-B
Full mesh
Private DC
…
Backhaul2
See next slide
VPC-A
VPC-C
VPC-B
18
19. Transit VPC Design
• Dedicated VPC: Simplifies routing by
not combining with other shared
services.
• CSR1000v Virtual Network
Appliances: Provide dynamic routing
and VPN network tunnels
• Redundancy: Dynamic routing
combined with multi-AZ deployment
creates a robust network infrastructure.
• VGW: VPC virtual gateways provide
highly available connections to transit
VPC virtual network appliances.
BA C
…...
Direct Connect
Or Internet
Private DC
Transit VPC
Spoke VPC
Other
Provider
Networks
CSR1 CSR2
AZ1 AZ2
Across regions, accounts/subscriptions
ASR
VPCVPCVPC
VPC
20. Traffic Segregation
• Traffic segregation is built-in
natively
• Each Spoke VPC is represented
as a different VRF in CSR
• Routing is controlled through RT
(Route Target)
• Different VPCs can communicate
by export/import same RT
• Follow same mechanism to create
customized VRF like on-premise
VRF
CSR1
MP-BGP
On-Premise VRF
CSR2
VPC-A VPC-B VPC-C
Private DC
VPC-C VRFVPC-B VRFVPC-A VRF
21. Scale Out
Private DC
Transit VPC
DX/ER
Internet
ASR
VPC
CSR1 CSR2 CSR3 CSR4
…...
• Add another pair of CSRs to
scale out
• Remote end (VGW) has multiple
tunnels and do L3 ECMP (Equal
Cost Multiple Path)
• Elasticity as you go: monitor CSR
real-time throughput and spin up
new CSRs on demand.
22. Enterprise DC
ASR1KBranch
ISR4K
Cisco
Secure Agile
Exchange
• Leveraging the AVC (Application Visibility
Control) on CSR1000V to visualize your
application traffic
• Sending application metric to central
controller to ensure app experience
• Automatically apply QoS policy when needed
CSR1000v
CSR1000v
CSR1000v
Don’t Let Public Cloud Become Your Blind Spot
Netflow
Collector
23. Prioritize Your Traffic with QoS Policy
• AWS Infrastructure doesn’t acknowledge QoS value, however you can use it over Tunnel
• Based on transport type (Direct Connect, VPC Peering, Public IP), shape different traffic to
ensure app experience when link get over-subscribed
Cisco
ISR/ASR
Corporate DC
Co-Lo
Direct Connect
QoS
IPSEC Tunnel
24. Integrated Security Features on CSR
ACL VRF
Zone Based
Firewall
Snort IPS
Web Root
URL Filtering
Umbrella
IPSEC Trust Sec
Encrypted
Traffic
Analytics (ETA)
Support Coming
Transit Hub
VPC
Integrated Security
• Low TCO by enabling security services
• Built-in high availability with routing
• Single device to manage routing and
security
CSR1 CSR2
24
25. Data Center
Transit VPC
AZ1 AZ2
App 1
(VPC1)
App 2
(VPC2)
App 3
(VPC3) Internet
Employee
Developer
Guest
Non-Compliant
✓ X ✓ ✓
X X ✓ ✓
X ✓ ✓ ✓
VPC1
Extend Trust Sec into AWS Transit VPC
Simplifying Segmentation and Control
Direct Connect
Dynamic Route Peering
Employee Tag
Developer Tag
Guest Tag
Non-Compliant Tag
X X ✓ ✓
ISE
Identity & Access Control
Policy Enforcement
App 1
VPC2
App 2
VPC3
App 3
Control Access to spoke VPC’s
based on SGT Tags and Policy
Enforcement within the Transit
VPC Hub CSRv’s
• Control Traffic between VPC’s
• Simplify Security Configurations
• Scale Security Group Control
• Single Control Point
dev pro test
ASR1K
CSR1 CSR2
26. AWS CloudFormation
• AWS technology to define cloud stacks via a JSON file
• Comparable technologies in OpenStack (Heat) and Azure (RM Templates)
• Can be used to create VPCs or launch EC2 instances into existing VPCs
• For CSR, can be used to initially launch, and then also configure via user data
• Most useful for Day 0
• Template for CSR in GitHub repository
template AWS
CloudFormation
stack
26
27. • Guest Shell runs in a LXC container
• It gives you native Linux Shell (Command)
access to run customized scripts
• Access to IOS-XE CLI, boot flash
• Python is the language we support today
• You can install AWS CLI and SDK to
automate day-to-day jobs through scripts
• EEM can be leveraged to create Crontab
tasks calling Guest Shell scripts
• https://github.com/CiscoDevNet/csr_aws_guestshell
Guest Shell
Network OS
Guest Shell
Open Application Container
API
Linux
applications
27
28. Cloud Security with Cisco Umbrella
Regional
Data Center
Remote Site
ISP1
SD-WAN
Fabric
DNS Queries
Data Center
DIA
• vEdge router intercepts client DNS queries
- Deep Packet Inspection
• DNS queries are forwarded to Cisco
Umbrella DNS servers based on the data or
application aware routing policies centrally
defined on vManage
- Target DNS servers list is defined under the
service side VPN
- Policy can pin DNS query for specific
application (DPI based) to specific DNS
server from the list
• Cisco Umbrella enforces security policy compliance
based on DNS resolution
29. Viptela Confidential29
Cloud onRamp for IaaS
How it works
Internet
Branch
DC
MPLS
Public Cloud (AWS & Azure) connectivity solution consumable through the vManage platform
vManage
Platform
Public cloud credentials
added to vManage
vManage invokes
instantiation of vEdge
instances in users
accounts & connects
IaaS instances to vEdge
GW VPN segments
IaaS instances are
discovered from users
account in a region.
User selects instances
to operate on
New instances can
be discovered and
mapped to VPN
segments later
Public Cloud Provider 1 Region 1
IaaS instances
IaaS instances
vEdge GW
User defines vEdge
gateway parameters and
maps IaaS instances to VPN
segments in the overlay
vManage Cloud onRamp for IaaS app: A vManage
application that orchestrates connectivity to IaaS
instances across multiple cloud and multiple regions.
Provides visibility into cloud instances.
vEdge Cloud Router: A virtualized
version of the vEdge router. Available
on the AWS and Azure marketplace.
30. Viptela Confidential30
Cloud onRamp for SaaS
Regional
internet exit
Branch with
local DMZ
Data
Center/DMZ
vFabric
httping probes
SaaS traffic primary
SaaS traffic backup
Cloud onRamp for SaaS Gateways: vEdge routers monitoring
service availability to SaaS apps.
vManage Cloud onRamp for SaaS app: A vManage application
provides visibility into SaaS performance and availability from the
branch.
• User designates Cloud onRamp gateways which can be remote
DMZs or local CPE (DIA case)
• SLA metrics are computed by using httping based probes to the
SaaS endpoint through the Cloud onRamp gateway
• Per application SLA metrics include loss and latency
• Application aware routing to SaaS end-point from gateway routers
• Path experiencing better SLA for the application is chosen
How it works
Viptela Quality of Experience (vQoE) score: Provides visibility into
application QoE based on realtime probes. vQoE information influences
routing decisions on vEdge routers
31. Viptela Confidential31
Why Cloud Connect ?
• Proven methodology – Transforming to deliver business outcomes
based on adoption of capabilities via cloud technologies
• Ease of management- Easy management and administration due to
consistency of the solutions between on-premises and public cloud
• Integrated Security - Most comprehensive security and networking
features and services that leverage existing infrastructure
• Seamless transition to cloud environments by extending enterprise
grade networking & security from on-premises to cloud
• Best-in-class SD WAN with security - Viptela with Umbrella
• Best Network flow monitoring and threat analytics
32. Viptela Confidential32
• www.cisco.com/go/cloud.
• https://www.cisco.com/c/en/us/solutions/cloud/hybrid-cloud-public-
cloud.html?CAMPAIGN=cloud%2bstory&COUNTRY_SITE=us&POSITION=social
%2bmedia%2bshare&REFERRING_SITE=blogs%2Ecisco%2Ecom&CREATIVE=
cisco%2Bblogs%2Bto%2Bhybrid%2Bpublic%2Bcloud
• Demo Videos -
• https://www.youtube.com/channel/UCaOS_SEzOmqKZDOIupONssg
Find out more :