Network Function Virtualization (NFV) is a relatively new term in the industry. There have however been virtual appliances in production for over five years serving as routers, switches, firewalls, VPN concentrators and protocol redistributors. Customer case studies for the use of NFV include partner networks, the cloud as a common meeting place, cloud bursting, virtual private cloud, and extending traditional networks into the cloud. The overlap between Software Defined Networking (SDN) and Network Function Virtualization (NFV) will also be explored. How things change at scale - what happens when you try to manage hundreds of virtual networks. A glimpse into the future, and the virtual telco.
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Lessons from 5 Years of Network Function Virtualization | Interop NY Presentation from Chris Swan
1. copyright 2013
Lessons from 5Years of
Network FunctionVirtualization
Chris Swan, CTO - CohesiveFT
@cpswan
1
Tuesday, October 8, 13
2. copyright 2013
Agenda
Introducing Network FunctionVirtualization
(NFV)
The Networking Declaration of Independence
Business use cases:
• Wave 1 - bursting and containment
• Wave 2 - hubs and spokes
• Wave 3 - winning back control
Technical use cases
Summary
2
Tuesday, October 8, 13
4. copyright 2013
NFV is a networking Swiss Army knife
Firewall
Dynamic &
Scriptable
SDN
Protocol
Redistributor
IPsec/SSLVPN
concentrator
Router Switch
NFV
Hybrid
virtual
device able
to extend
to multiple
sites
Application SDN (Software Defined Network) Appliances
• Allow control, mobility & agility by separating network location and
network identity
• Control over end to end encryption, IP addressing and network topology
4
Tuesday, October 8, 13
5. copyright 2013
A technical use case overview
5
Customer Data CenterCustomer Remote Office
NFV
Overlay Network
Subnet: 172.31.0.0/22
Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21
Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F
Active IPsec Tunnel Active IPsec Tunnel
Failover IPsecTunnel
192.168.4.0/24 - 172.31.1.0/24192.168.3.0/24 - 172.31.1.0/24
Firewall / IPsec
Cisco 5505
Firewall / IPsec
Cisco 5585
Data Center
Server
Data Center
Server
LAN IP: 192.168.4.50 LAN IP: 192.168.4.100
User Workstation
LAN IP: 192.168.3.100
User Workstation
LAN IP: 192.168.3.50
Chicago, IL USA
Remote Subnet:
192.168.3.0/24
London, UK
Remote Subnet:
192.168.4.0/24
Public IP: 184.73.174.250
Overlay IP: 172.31.1.250
Public IP: 54.246.224.156
Overlay IP: 172.31.1.246
Public IP: 192.158.29.143
Overlay IP: 172.31.1.242
Peered Peered
US East 1 EMEA
NFV
NFV
APAC
Tuesday, October 8, 13
6. copyright 2013
Providers and Customers have different concerns
Layer 0
Layer 4
Layer 3
Layer 2
Layer 1
Layer 5
Layer 7
Layer 6
Virtualization
Layer
Hardware
Ownership
Layer
Limits of access, control, & visibility
Application
Layer
ProviderControl
UserControl
Service Provider SDN starts at the
bottom of the network with the
"device" and network flows.
Application SDN (using NFV) begins
at the top of the network with the
enterprise application, its owner and
their collective technical and
organizational demands.
6
Tuesday, October 8, 13
9. copyright 2013
Nicira’s “declaration of independence” from metal,
freed NFV from OpenFlow
9
+
http://nicira.com/sites/default/files/docs/Nicira%20-%20The%20Seven
%20Properties%20of%20Virtualization.pdf
Tuesday, October 8, 13
10. copyright 2013
These same properties free NFV from the
“constraints” of OpenFlow (technology, timing and target)
10
Nicira defined the 7 Properties of network virtualization as:
1. Independence from network hardware
2. Faithful reproduction of the physical
network service model
3. Follow operational model of compute
virtualization
4. Compatible with any hypervisor
platform
5. Secure isolation between virtual
networks, the physical network, and
the control plane
6. Cloud performance and scale
7. Programmatic networking provisioning and control
Tuesday, October 8, 13
11. copyright 2013
WithVM-based network devices you can use the cloud
network as “bulk transport” and are indifferent to all else.
Independence from network hardware
11
Customer Data Center
NFV
Standard IPsec Tunnel
Firewall / IPsec Device
Data Center Servers
Overlay IP: 172.31.11.xx
Public CloudRegion 1
IP: 192.168.1.xx LAN
Cloud Server Cloud Server
Overlay Network
Tuesday, October 8, 13
12. copyright 2013
NFV devices “look” and “feel” like the same networking
devices customers have used for ever, without boundaries
Reproduction of physical network model
12
Customer Data Center
Standard IPsec Tunnel
Data Center Servers
Virtual Network
Cloud Server
Public CloudRegion 1
Overlay Network
Data Center Servers
Cloud Server
NFV
Tuesday, October 8, 13
13. copyright 2013
Follow operational model of compute virtualization
13
NFV NFV NFV NFV
NFV functions can be dynamically brought on-line, up to
the elastic limits of the total infrastructure available (!!)
Tuesday, October 8, 13
14. copyright 2013
Compatible with any hypervisor platform
14
NFV does more than “follow” the model of compute
virtualization, it exists via compute virtualization.
Public Clouds
Virtual Infrastructure Private Clouds
Cloud
Tuesday, October 8, 13
15. copyright 2013
Secure isolation
15
Isolation takes many forms: from underlying infra, allow my
protocols, keep my “chattiness” in, keep others out, etc..
Public CloudRegion 1
Cloud Server Cloud Server
Overlay Network
Public CloudRegion 3
Cloud Server Cloud Server
Overlay Network
Public CloudRegion 2
Cloud Server Cloud Server
Overlay Network
Public CloudRegion 4
Cloud Server Cloud Server
Overlay Network
Tuesday, October 8, 13
16. copyright 2013
Secure isolation
16
Isolation takes many forms: from underlying infra, allow my
protocols, keep my “chattiness” in, keep others out, etc..
User Workstation User Workstation
Data Center Server
Tuesday, October 8, 13
17. copyright 2013
Cloud performance and scale
17
Where NFV really shines today, create a WAN in minutes,
use cloud as points of presence for your business
Customer Data CenterCustomer Remote Office
NFV
Overlay Network
Subnet: 172.31.0.0/22
Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21
Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F
Active IPsec Tunnel Active IPsec Tunnel
Failover IPsecTunnel
192.168.4.0/24 - 172.31.1.0/24192.168.3.0/24 - 172.31.1.0/24
Firewall / IPsec
Cisco 5505
Firewall / IPsec
Cisco 5585
Data Center ServerData Center Server
LAN IP: 192.168.4.50 LAN IP: 192.168.4.100User Workstation
LAN IP: 192.168.3.100
User Workstation
LAN IP: 192.168.3.50
Chicago, IL USA
Remote Subnet:
192.168.3.0/24
London, UK
Remote Subnet:
192.168.4.0/24
Public IP: 184.73.174.250
Overlay IP: 172.31.1.250
Public IP: 54.246.224.156
Overlay IP: 172.31.1.246
Public IP: 192.158.29.143
Overlay IP: 172.31.1.242
Peered Peered
US East 1 EMEA APAC
NFV
NFV
Tuesday, October 8, 13
18. copyright 2013
Programmatic networking provisioning & control
18
+ http://maxoffsky.com/code-blog/building-restful-api-in-laravel-start-here/
Cloud Compute and Network APIs + NFV Device APIs
allow previously unimaginable flexibility and power
Public Clouds
Virtual Infrastructure Private Clouds
Cl
Tuesday, October 8, 13
21. copyright 2013
Mutual fund securely
extends HPC grid
resource
Highlights:
Automatically flex existing HPC
solution up and down by bursting
into public cloud.
Image management tool configured
and contextualized nodes in custom
cloud environment.
Used existing workload manager /
grid engine software / vendor to
extend their grid.
Significantly reduced infrastructure
costs, while increasing flexibility and
responsiveness.
The Goals:
Large Mutual Fund (LMF) must
reduce the time to results.They
seek an on-demand, lower cost
capacity expansion.
Security & Compliance:
• Guaranteed customer control
of the network layer
•Visibility, insight and control
over the infrastructure
• Swapped out physical
infrastructure with IaaS on a
pay as you go basis
•Vendor neutral, more than one
cloud
• Natural look and feel of a existing
grid extension
• Encrypted data in motion, end-
to-end
LMF needed more security and
control than public cloud to
“extend” their existing grid on the
same IP network.
Outcome:
LMF seamlessly flexes their grid up
and down with an overlay network
for the EC2 grid compute nodes
with NFV.
Fund bursts into public cloud to extend HPC
Private Data Center
NFV
US-east-1
Active IPsec Tunnels
Firewall / IPsec
Data Center Node
Boston, USA
Node
US-west-1
Overlay Network
Peered
Node
Node
NFV
21
Tuesday, October 8, 13
22. copyright 2013
Mobile provider creates secure
dev/test environments
Highlights:
Wanted speed for dev/test but couldn’t sacrifice
security
Challenged to improve quality and amount of testing
with multiple vendors
Telco had insufficient hardware resources and lacked
initial install media
Guaranteed consistency with identical topologies in
virtual network
The Challenge:
Our customer needed a solution when traditional
dev/test processes created a 3 month bottle neck in
getting services to market.
The customer wanted to use cloud for dev/test
environments on-demand, and to migrate 10 year old
Oracle, StellentTibco, and Websphere images to
AWS andVMware environments.
They needed to securely connect two developer
offices and dev partners in a third office.
The Outcome:
Functionally equivalent multi-tier distributed system
ran both in AWS andVMware to give testing capacity
on demand from a public cloud and production on
premise.
Ensured consistent topologies within secure virtual
networks.
AD Configuration with Dual NIDs
Developer Office
NFV
US-east-1
Active IPsec Tunnels
192.168.4.0/24 - 172.31.1.0/24
Firewall / IPsec
USA
User WorkstationUser Workstation
Partner Data
Center
Firewall / IPsec
Data Center Servers
Private Cloud
Peered
Hybrid Network
Virtual MachineVirtual Machine
NFV
22
Tuesday, October 8, 13
23. copyright 2013
UK non-profit
reduces CO2 with
IBM SmartCloud
Highlights:
Energy SavingsTrust (EST) needs to
analyse data while keeping costs to
a minimum
Must gather, analyse, and compute
big data sets and graphically display
usage
Non-profit securely connects and
automates in Smart Cloud
"The services we provide […] make it
possible to achieve energy efficiency
targets faster and at less cost." - Will
Rivers, Housing Data Manager,
Energy SavingTrust
The Challenge:
EST has over 20 years of energy
data with 250M data points on
25M households, and wanted to
both grown compute resource
while saving costs.
“IBM SmartCloud means that the
services we can offer are no longer
constrained by the limitations of our
on-site hardware,” Simon Elam,
Programme Manager, Energy Saving
Trust
The Goals:
• Encourage energy efficiency
through real-time data and
energy maps
• Collect and analyst large sets of
public utility and energy data
• Create maps with geographic
information system (GIS)
• Grow without impacting
performance
Outcome:
CohesiveFT and Assimil8, both IBM
Business Partners, helped migrate
and connect EST’s IBM software
running in IBM SmartCloud
Enterprise.
Energy SavingsTrust analyzes data in SmartCloud
On-Site Hardware
NFV
Active IPsec Tunnel
UK
Firewall / IPsec
Data Center Servers
Virtual Machine
Cloud Server
Ehningen
23
Tuesday, October 8, 13
24. copyright 2013
US Sports Association flexes
up and down during large
annual events
Highlights:
Added capacity without the hardware, overhead
and management costs
Wanted to scale and control capacity
Secure communication with partners, customers
and media members with a cloud-based solution
Secure, encrypted data in motion and access to
data center with NFV
The Situation:
A US National Sports Association looked to public
cloud to expand capacity for an annual live,
international sporting event.
Challenge:
For a few days a year, the network and servers
must react, scale quickly without any outages.
Information could not be unsecured beyond the
DMZ - data in plain text was not an option.
Solution Featured:
• Scalable with the capacity needed around global
events
• Encryption for all data in motion
• Overlay network on top of public cloud
infrastructure
• Perpetual license to accommodate scaling needs
Capacity expansion: meeting game day demand
Main Offices
NFV
Active IPsec Tunnels
NewYork, NY USA
Data Center
Virtual Machine
Cloud Server
us-east-1
Media Partners
Firewall / IPsec
EMEA, & US & ANZ
Workstations
24
Tuesday, October 8, 13
25. copyright 2013
SaaS vendor reaches
customers without
on-site data centers
or physical networks
Highlights:
Large independent logistics firm
wanted to move to SaaS delivery
model without burdening clients
Removed migration complexity
without changing the business
model or operations
Solved end client’s issues with on-
site data centers and large software
clients
Overlay network allows customer
to deploy to any public cloud
provider
The Situation:
Mobile banking solution provider
wanted to connect many financial
institution customers to a cloud-
based common platform to
connect partners and customers
Challenges:
• Limited multi-tenant
environments for customers to
pass industry-standards tests
• Connectivity without the hurdles
of traditional networks, data
centers and enterprise rules
• Managing apps across different
public and private clouds
• End customer security concerns
Outcome:
The customer can offer a SaaS
version of their BPMS where
end customers can access it
as if it were a subnet on their
network.
The solution guarantees data in
motion encryption.
The BPMS firm can now connect
their clients’ software to cloud-
based data centers without up-
front, capital intense processes.
BPMS-as-a-SaaS without traditional complexity
Home Data Center
NFV
Active IPsec Tunnels
Firewall / IPsec
Boston, MA USA
us-east-1
Customer
Data Center 2
Peered
Federated Cloud
Overlay Network
NFV
Virtual MachineVirtual Machine
Customer
Data Center 1
Cloud-based
SaaS tool
Failover IPsec
Private Cloud
Data Center Servers
us-west-2
Berlin, DELondon, UK
25
Tuesday, October 8, 13
27. copyright 2013
Connect customers
in a shared, private
environment.
Highlights:
Customer switched from on-
premise to cloud-based data
analysis SaaS for retail clients.
Needed additional resources with
secure, shared infrastructure.
Offered multitenant cloud-based
services to customers and partners.
Created secure connections with
both IPsec edge connectivity and
SSL/TLSVPN
A retail data analysis firm wanted to
expand cloud-hosted resources
while securely link customers to a
new cloud-based service.
Challenges:
• Guaranteed encryption for all
data in motion and at rest.
• Overlay network to federate
across any public cloud
provider.
• Secure connections with both
IPsec edge connectivity and
SSL/TLSVPN
• Customer created a true Cloud
WAN network with overlays
and cloud providers.
Customer now manages more than
100 cloud environments across a
mix of dev, internal IT, and customer
implementation categories in a
seamless “single network” mix.
Cloud “Meet Me Room”
Data Center
NFV
Active IPsec Tunnels
US
Firewall / IPsec
Data Center Servers
Virtual Machine
Customer Network
UK
Browser-based
portal access
SaaS App
eu-west-1
Federated Multicloud Network
Cloud Server
27
Tuesday, October 8, 13
28. copyright 2013
Firm extended offerings with
global cloud points of
presence
Highlights:
Offered global redundancy at dramatically lower cost
than traditional infrastructure.
Needed secure connections to existing data centers
and networks.
Access critical infrastructure “in region” without
delays or capital of physical resources.
Global reach for products and global redundancy for
security.
A global end point threat prevention company
wanted to have global reach for cloud-based threat
protection and virus scanning system.
Additionally, they wanted to ensure global
redundancy using multiple cloud providers.
Customer Required:
• Working with multiple cloud providers and cloud
regions
• Connections across clouds and down to existing
physical data centers and networks
Outcome:
• Guaranteed encryption for all
data in motion and at rest
• Overlay network to
federate across any public
cloud provider
• End customers can access critical resources
without waiting for inter-continental lag times, at
much lower costs.
Cloud WAN for global reach and redundancy
Data Center
Active IPsec Tunnels
Frankfurt, Germany
Firewall / IPsec
Data Center Server
Customer 2
Tokyo, Japan
Workstations
APAC-1
CloudWAN
Peered
US East Coast
NFV
Peered
Office
London, UK
Data Center Server
NFV NFV
Netherlands
28
Tuesday, October 8, 13
29. copyright 2013
Cloud WAN
connectivity without
the expensive assets
or contracts.
Highlights:
Global reach for products and
global redundancy for security.
Needed secure connections to
existing data centers and networks.
Access critical infrastructure “in
region” without physical resources.
Offered global redundancy at
dramatically lower cost.
A pharmaceutical information
systems firm wanted to integrate
US-based offices together and to
integrate offices to their cloud
infrastructure.
Challenges:
Offices had different hardware and
software, networks and data needs.
The firm did not want to invest in
assets or long term contracts with
vendors.
Solution Featured:
• Guaranteed encryption for all
data in motion and at rest
• Overlay network federates
across public cloud
providers
• IPsec and data in motion
encryption
• Customer created
a true Cloud WAN
with overlays and
cloud provider edges.
Outcome:
Each office connected to the
cloud-based systems and also
connected to each other using the
cloud as network backbone.
Pharmaceutical system federates infrastructure
Data
Center
Active IPsec Tunnels
NewYork, USA
Firewall / IPsec
Data Center Server
Medical
Office 2
San Francisco, USA
US-west-1
CloudWAN
Peered
NFV
Peered
Medical
Office 1
Customer
Hospital
Boston, USA
Data Center Server
NFV
US-east-1
Salt Lake City, USA
Private Cloud
SaaS portal SaaS portal
29
Tuesday, October 8, 13
30. copyright 2013
Connecting mobile
banking customers
to a common cloud-
based infrastructure
Highlights:
Online & mobile banking company
needed connectivity solution to
meet regulatory requirements.
Financial customers could use a
"security lattice" approach,
encrypting all critical data in motion
Enabled customer to server end
customers from a common
platform.
Multitenancy model allowed
customer to pass along cloud
economies of scale.
The Situation:
Mobile banking solution provider
wanted to connect many financial
institution customers to a cloud-
based common platform to
connect partners and customers
Challenges:
Multi-tenant infrastructure required
secure connectivity with minimal
complexity and manpower
expense.
Public cloud flexibility and savings
plus additional security and
connectivity.
Solution featured:
• Connections with standard IPsec
equipment
• A connection “edge” to customer
deployments and cloud
infrastructure
• Encrypted data in motion
Outcome:
Cloud-base banking platform
brought customers online quickly at
lower cost.
Multitenant cloud-based partner network
Data Center Server
Home Network
NFV
Encrypted IPsec Tunnels
USA
Firewall / IPsec
Data Center Server
Virtual Machine
Customer
Data Center 2
USA
Customer
Data Center 1
UK
Data Center Server
Virtual Machine
Mobile Banking Platform
US-west-1
30
Tuesday, October 8, 13
31. copyright 2013
Mobile provider
improved quality in
secure dev/test
environments
Highlights:
Wanted speed for dev/test but
couldn’t sacrifice security
Challenged to improve quality and
amount of testing with multiple
vendors
Image management helped move
existing images and templates into
production-ready environments
Guaranteed consistency with
identical topologies in virtual
network
Problem:
Customer needed solution when
traditional testing an dev/test
created a three month bottle
neck while getting services to
market.
Solution:
The customer used the cloud for
dev/test environments on
demand by migrating 10 year old
Oracle, StellentTibco,
Websphere images to AWS and
VMware, and securely
connected two developer
offices and dev partners in a
third office.
Outcome:
Functionally equivalent multi-tier
distributed system ran both in
AWS andVMware to give
testing capacity on demand
from a public cloud and
production on premise.
The customer moved existing
images and templates into
production-ready environments.
Leading global mobile telco service provider
NFV
EMEA
Active IPsec Tunnel
Firewall / IPsec
Overlay Network
Peered
Private Cloud
Partner Data
Center
London, UK
Dev/Test 2
Data Center
Servers
Data Center Servers
Dev/Test 1
Boston, USA
Data Center
Servers
Cloud Server Virtual Machine
NFV
London, UK
31
Tuesday, October 8, 13
32. copyright 2013
Scalable, pay as you
go solution connects
cloud-based apps to
partner networks.
Highlights:
Connected telco partners with
partners’ exact IP addresses.
Concerns over keeping customer
and partner traffic separate and
secure
Needed to quickly scale up and
down, with a price package to
match
Overlay network segmented
partners to take control of security,
addressing, and connection
The Situation:
A telco with mobile app needed to
connect cloud-based app servers to
APAC partners on the partners’
exact IP addresses.
The solution required:
•Overlay networks
• Instance-based solution using pay-
as-you-go virtual appliances
• Customer-defined address pools
• Guarantee encryption for all
data in motion, including
customer session tokens and
payment information
Outcome:
Customer was able to
create POPs in multiple
regions with attestable
security.
The network can be abstracted
from the cloud vendors’ address
schemes to create a scalable, pay as
you go solution to match their
business model.
Mobile app developer connects on overlay
Data Center Server
Virtual Network
NFV
Dedicated IPsec Tunnels
Firewall / IPsec
London, UK
Partner
LAN 1
Cloud-based
SaaS tool
Data Center Servers
Virtual Machine
Ehningen
Partner
LAN 2
NFV
Customer Site
Virtual Machine
Peered
Osaka, JapanHong Kong
Asia Pacific (Tokyo)
32
Tuesday, October 8, 13
33. copyright 2013
Research groups
connect to location-
independent
infrastructure
Highlights:
US-based research groups have
global observatories and
collaborations
Platform would speed research,
enhance collaboration
Location-independent data
collection and analysts
NFV and image management
helped the group create common,
shared infrastructure
Challenge:
needed to create a new
computing architecture based on
virtualization to support
collaborative efforts through
multiple layers of research
groups.
The research groups had to have
control over final output quality
and virtual devices in complex
sensor platform.
Solution
New computing architecture
needed to use virtualization,
multiple separate research
groups, and virtual devices in
complex platform.
Outcome
With NFV and image
management, the customer
created a common shared
infrastructure that was location
independent.
Scientific research groups connect, migrate to cloud
Research Campus
Palo Alto, CA USA
Observatory 2
Marshall Islands, USA
NFV
Observatory 1
Honalulu, HI USA
Active IPsec Tunnels
Firewall / IPsec
Global Overlay Network
WorkstationsWorkstations
Virtual MachineVirtual Machine
Node
US-west-1
33
Tuesday, October 8, 13
35. copyright 2013
Overlay between public & private cloud
Public IP: 194.42.93.145 Public IP: 194.42.93.146 Public IP: 194.42.93.147 Public IP: 194.42.93.148 Public IP: 194.42.93.149 Public IP: 194.42.93.150
Public IP: 194.42.93.151 Public IP: 194.42.93.152 Public IP: 194.42.93.153 Public IP: 194.42.93.154
Public IP: 5.23.25.66
Cloud Servers
Peered
Location 1
Cloud Servers
Peered
Location 2
Cloud Servers
Peered
Location 3
Cloud Servers
Peered
Location 4
Cloud Servers
Peered
Location 5 Peered
Public IP: 5.23.25.12
Region: Europe-1
NFV Overlay Network
172.31.0.0/24
PeeredPeered
Peered
Peered
Peered
Peered
• Not technically
very different from
bursting, but
motivation is
different
• Get network
(re)configured in
minutes rather than
waiting weeks for a change request to be
implemented by the (outsourced) NOC
• No need for new hypervisor or networking equipment
35
Tuesday, October 8, 13
36. copyright 2013
The first “process” customizable cloud transport
network device
NFV allows customers to embed features and functions provided by
other vendors - or developed in house, safely and securely into cloud
networks
• Not just a scripting interpreter that allows control over known, existing features
• Completely new functions, processes, computation delivered to the core of the
customer cloud network (patent pending)
36
NFV
Customer
controlled, and
co-created, for
the best
hybrid cloud
experience
Router
Reverse
Proxy
Content
Caching
Load
Balancing
Intrusion
Detection More....
Switch Firewall
IPsec/SSLVPN
Concentrator
Protocol
Redistributor
Dynamic &
Scriptable
SDN
Proxy
Tuesday, October 8, 13
37. copyright 2013
Encrypted Overlay network in VPC
NFV as a converged device gateway into cloud
37
NFV +
Web App 2Web App 1 Web App 3
Single IP address
• Customer created a customized
reverse proxy application
(NGINX) inside the NFV
appliance
• NFV provides end-to-end
encryption, private address
control, firewalling, and port
forwarding
• NGINX configuration files are completely customer controlled
• NGINX app sits at the transport layer inside the NFV appliance
• Runs on the encrypted overlay network inVPC
Tuesday, October 8, 13
39. copyright 2013
Problem:
• Applications may be hard wired to specific IP
addresses
• Cloud providers cannot provide portability of
internal IPs
Cloud Address Control
Customer Data Center
NFV
Standard IPsec Tunnel
Firewall / IPsec Device
Data Center Servers
Overlay IP: 172.31.11.xx
Public Cloud
Region 1
IP: 192.168.1.xx LAN
NFV Solution:
• Control static addressing
• Local Area Network (LAN) address extension to
the cloud
• Servers andTopologies behave as though the are
running locally
• Application centric network is portable
Cloud Server Cloud Server
Overlay Network
39
Tuesday, October 8, 13
40. copyright 2013
Problem:
• Enterprise software uses multicast protocols for
service election and service discovery
• Most public cloud providers block multicast
NFV Solution:
• Send multicast traffic via NFV based overlay
network before it is rejected by underlying
network infrastructure
Cloud Protocol Control: Multicast
Standard IPsec Tunnel
Public Cloud
Region 1
Customer Data Center
Data Center Servers
LAN
Cloud Server Cloud Server
Firewall / IPsec Device
Overlay Network
NFV
40
Tuesday, October 8, 13
41. copyright 2013
Cloud Security Control: IPsecTunneling
Data Center
Standard IPsec Tunnel
Data Center Servers
Public CloudRegion 1
LAN
Cloud Server Cloud Server
NFV
Firewall / IPsec Device
Overlay Network
41
Problem:
• Public Cloud is accessed via Internet
• HTTPS is fine for web apps and services but isn't
always appropriate for other use cases
NFV Solution:
• Connect networks with industry standard IPsec
• Use existing network edge security appliances
(Cisco, Juniper, Netscreen, SonicWall etc.)
• Use existing secure communication methods/
practices - the same as currently used to connect
offices, data centers or partners/customers
Tuesday, October 8, 13
42. copyright 2013
Cloud Security Control: Multiple IPsec
Standard IPsec Tunnel
Public CloudRegion 1
Cloud Server Cloud Server
NFV
Overlay Network
42
Problem:
• Cloud providers limit the number of IPsec
connections
NFV Solution:
• NFV Manager enables multiple IPsec connections
to a cloud-based overlay network segment
• Serves as user-controlled, virtualized switch/router
inside the provider cloud
• Cloud deployed servers can communicate with
multiple IPsec gateways via endpoint-to-endpoint
encrypted connections
Customer
Site N
Multiple
IPsec Devices
Customer
Site 2
Customer
Site 1
Tuesday, October 8, 13
43. copyright 2013
Problem:
• Cloud deployments cannot be connected to
existing network operations center
Use Existing MonitoringTools
NFV Solution:
• Use your existing monitoring tools for cloud
deployments
• NFV allows the use of an existing NOC to
monitor and manage devices in the data center
and the cloud
Customer Data Center
Standard IPsec Tunnel
Data Center Servers
Virtual Network
Cloud Server
Public CloudRegion 1
Overlay Network
Data Center Servers
Cloud Server
NFV
Firewall / IPsec Device
43
Tuesday, October 8, 13
44. copyright 2013
Problem:
• Securely connect customers, partners or branches
to specific servers in shared infrastructure
Customer-Partner Networks in Public Cloud
NFV Solution:
• Industry standard secure connectivity to
isolated servers in public cloud
• Data in motion in the public cloud is
encrypted
Partner Data Center
EMEA
Customer 2
USA
Customer 1
APAC
Active IPsec Tunnels
Firewall / IPsec
Customer - Partner Network
Phsyical Data CenterPrivate Cloud Server
Node
Cloud
Deployment
Public Cloud
Region 1
NFV
44
Tuesday, October 8, 13
46. copyright 2013 46
NFV allows networks to be built out of the cloud
Users get control over their:
• addressing
• topology
• security
• protocols
When you give people a networking Swiss Army
knife to run in the cloud they do all kinds of
stuff that you might not have expected
Summary
Tuesday, October 8, 13