Learn how to enable and support data migrations in AWS and keep your business applications highly secure, whether you are migrating your IT infrastructure to the cloud, migrating your business applications to the cloud, or simply moving traffic on AWS between different Availability Zones. Our real-world use cases include securing your critical business applications in AWS by deploying vSRX as a perimeter firewall for VPC instances, and enabling secure transport and routing for hybrid cloud deployments using IPSec VPNs on vMX. Session sponsored by Juniper Networks.
2. What to Expect from the Session
• Trends and challenges in migrating to hybrid cloud
• Learn about solutions to address these challenges
• Routing capabilities between public cloud instances
• Secure transport to the public cloud
• Security against advanced threats and staying compliant
• Demo on how to address these challenges in AWS
and a do-it-yourself solution
For your 60 minutes
3. 91%
70
%
Nearly 70% of enterprises
will pursue the hybrid cloud
by 2015**
91% of net new software
was built for cloud delivery
in 2014***
The cloud is changing the way enterprises work and transforming
the way IT and business processes are delivered.
2017
25% CAGR
28% CAGR
24% CAGR
Private
Cloud
IaaS/PaaS
SaaS/BPaaS
Cloud Market Opportunity*
25% CAGR through 2017
By 2017, cloud
spend will be
$392B
*Source: IBM Market Insights, 1H 2014
**Source Gartner, p.6, Private Cloud Matters, Hybrid Cloud is Next, Gartner G00255302, Sept 6, 2013
***Source: IDC Directions, “How SaaS Gets Built” Doc # DR2014_T3_RM March 2014
Cloud statistics
4. Cloud inhibitors
.7
1.3
16.7
18.7
21.3
22.7
24.0
26.0
27.3
28.0
28.0
30.0
41.3
Other
None
Lack of tools to…
Current network…
Cloud cannot support…
Reduced…
Will cost too much to…
Hard to integrate with…
Reliability concerns:…
Dependency on…
Lock-in to a single…
IT governance issues
Security concerns
Employee size 100-999…
4
4.6
17.2
17.9
18.5
18.5
22.5
26.5
28.5
29.1
31.8
34.4
48.3
Other
None
Lack of tools to…
Reduced…
Expensive
Limitation of current…
Not suitable for…
Hard to integrate with…
Service provider lock-…
Dependency on…
IT governance…
Reliability concerns:…
Security concerns
Employee size 1000+ (N=151)
Q. Which does your organization consider the most IMPORTANT INHIBITORS to your organization's increased
usage of cloud services?
N=301
Base: All respondents
Source: IDC’s Multi-Client Report: Enterprise Cloud Connect, 2015
Key Inhibitors: Security, Reliability, & IT governance
5. Business edge & enterprise networks evolving
• Applications & workloads shifting to public cloud providers such as
AWS. This shift requires:
• Secure transport to the public cloud
• Secure perimeter gateway providing same next-gen firewall capabilities as
on-premises solutions
• Routing capabilities between public cloud instances in case of geo-
redundancy
Trends
6. Enabling public cloud migration
Customer Challenges
CE
Provider
MPLS
Network
Internet
PE PE
PE PE
Amazon PE Amazon PE
Scalable Secure Transport with full mesh capabilities from multiple
enterprise locations to public cloud instance
Routing between VPC instances across AWS regions for geo-
redundancy and high availability
Operational consistency between on-premises and cloud gateway
Redundant gateway for high availability within an AWS region
Visibility, Analytics, and Troubleshooting capabilities of the cloud
gateway
VPC instance
VPC instance
AWS Region A AWS Region B
Ensure Quality of Service for specific types of traffic
Direct-Connect
7. Enabling public cloud migration
Solution: Scale-Out Virtual Router in the VPC
Virtual Private Cloud
Availability ZoneAvailability Zone
VPC Subnet VPC Subnet
Customer Gateway
Customer Network
New York
VPN
Router Virtual Private Gateway
Customer Gateway
Customer Network
Chicago
VPN
Customer Gateway
Customer Network
Los Angeles
VPN
Utilize a scale-out virtual router
instead
To remediate the challenges
highlighted we augment a VPC
deployment with a Scale-Out
Carrier Class Virtual Router
8. Enabling public cloud migration
Solution: Scale-Out Virtual Router in the VPC
CE
Provider MPLS
Network
Internet
PE PE
PE PE
Amazon PE Amazon PE
Scalable Secure Transport with full mesh capabilities from
multiple enterprise locations to public cloud instance :
Utilize IPSec VPN for any-to-any connectivity with
scalable tunnel count and throughput capabilities.
Operational consistency between on-premises gateway
and cloud gateway : Carrier class operating system
(JUNOS) with rich routing stack, automation
capabilities (Chef, Puppet, Ansible, PyEz) and
analytics (IPFIX, JFLOW)
VPC instance
VPC instance
AWS Region A AWS Region B
IPSec VPN
Direct-Connect
Virtual Router Virtual Router
9. Enabling public cloud migration
Solution: Scale-Out Virtual Router in the VPC
CE
Provider MPLS
Network
Internet
PE PE
PE PE
Amazon PE Amazon PE
VPC instance
VPC instance
AWS Region A AWS Region B
VXLAN over
IPSec
Routing between VPC instances across AWS regions and
Enterprise locations for high availability: Dynamic routing
(BGP) with Overlay Tunneling (VXLAN) capabilities
creates seamless connectivity across all endpoints.
Redundant gateway for high availability within an AWS
region : Instantiate multiple instances of the scale-out
virtual routing platform within a VPC instance to
create redundant topologies. Use technologies such
as BFD for end-to-end liveliness detection.
Direct-Connect
Virtual Routers Virtual Routers
11. Security: specific areas of concerns
11
N=135
Base: Respondents citing “security” as an important cloud inhibitor
Source: IDC’s Multi-Client Report: Enterprise Cloud Connect, 2015
What are the specific inhibitors to your organization's increased usage of cloud services?
21%
24%
25%
29%
33%
39%
59%
67%
Lack of visibility into cloud provider's…
Shadow/rogue IT usage
Job security for IT staff
Denial of Service attacks
Legal and regulatory compliance
Unauthorized data access by cloud provider
Security breach of the cloud provider's…
Data protection
Total (N=135)
Data Protection, Security, and Compliance are Key Concerns
12.
13. Secure migration to AWS hybrid cloud
Use Cases
Customer Challenges
Migration of IT
Services
SaaS/Cloud
Bursting
Desktop as a
Service
Advanced Threat
Protection
Full-mesh secure
connectivity
Preserve IT
compliance
Leverage existing
solutions
Seamless migration
experience
14. Solution: migration of IT services
AWS
VPC-Dev
VPC-Prod
US-West US-East
On-Prem
DC
DevProd
Policy A Policy B
Policy A
Policy B
Full-mesh secure
connectivity – IPSec VPN
Preserve IT compliance –
policy migration
Leverage existing
solutions – physical or
virtual firewall
Seamless migration
experience –
management &
automation
16. Open security intelligence platform
Customer-provided or
Third-Party Threat Data
Command & Control, GeoIP,
Additional Intelligence
Local Appliance
or Service
1
2
3
4
5
Firewall
Aggregated & optimized cloud-based threat intelligence1
Provide threat intelligence to customer premise2
Local/Customer data incorporated into solution3
Central management4
Intelligence distributed to firewall enforcement points5
Threat
Intelligence
Cloud
Central Mgmt
A framework that uses information from
multiple sources to deliver improved
security
6
Router/Switch
Intelligence distributed to router/switch enforcement points6
17. Advanced anti-malware cloud service
Advanced Anti-malware Cloud Service
Malware Inspection Pipeline
Cache Static Analysis
Dynamic
Analysis
Internal Compromise Detection
Identified
Malware
C&C
Events
Analytics
Web-based Service Portal
Licensing ReportingConfig & Mgmt
Feed Analysis & Efficacy
C&C GeoIP Custom
Known C&C Servers
Content (File)
Extraction
Fast Verdicts for
In-line Blocking
Threat Intel Events
(C&C “Hits”)
Firewall
Quarantine
Compromised
Systems
18. Solution: Desktop as a Service (DaaS)
AWS
On-Premises DC
“Inside-out” Advanced
Threat Protection –
Application Visibility &
Control, User ID, Unified
Threat Management
19. Application visibility and control
Ingress Egress
App Tracking
Understand security risks
Address new user behavior
App Firewall
Block access to risky apps
Allow user-tailored policies
App QoS
Prioritize important apps
Rate-limit less important apps
SSL Proxy SSL packet inspection
IPS Block security threats
• Heuristics for
evasive and
tunneled
apps
• More
application
signatures
• Open
signature
language
20. Virtual firewall: enable secure migration to AWS
Foundation
Next Generation
Firewall Services
Firewall VPN NAT Routing
Application Control
User-based Firewall
Unified Threat
Management
Anti-virus
Intrusion Prevention Web/Content Filtering
Anti-malware
Security Intelligence
Command & Control
GeoIP Feeds
Custom Feeds
Management Reporting Analytics Automation
Core
firewall
features
Advanced
security
services
a
22. Call to action
• vSRX – Juniper virtual firewall
• vMX – Juniper virtual router
• Download a 30-day free trial of vMX with complete routing stack:
http://www.juniper.net/support/downloads/?p=vmx#sw
• Download vSRX 60-day trial including advanced security services:
• http://www.juniper.net/us/en/dm/free-vsrx-trial/
• vSRX on AWS expected to ship in the next few months
• vMX on AWS expected to ship in the next few months
• Stop by Juniper booth #403 to see demo of vSRX and vMX on AWS