"How overlay networks can make public clouds your global WAN" by Ryan Koop of CohesiveFT at LASCON

copyright 2013

How overlay networks can make public clouds your global WANRyan Koop, CohesiveFT

1

@cohesiveFT#LASCON

Thursday, October 24, 13

copyright 2013

Oh, hello

2

During Business Hours++

Ryan Koop@ryankoopDirector of Product & Marketing, Co-founder

Ryan is responsible for product development and manages teams for public relations, international events, and content marketing. His role spans the technical product development, customer support, business development and thought leadership needs of a growing company.

Before CohesiveFT, Ryan worked at a trading platform software company in the US Derivative Markets.

After Hours NAME Ryan Koop CLUB Royal Fox CC - Men LOCAL# 2024 Assoc# 20005661 EFFECTIVE DATE 10/15/2013 SCORES POSTED 12 USGA HDC INDEX

18.9SCORE HISTORY - MOST RECENT FIRST

1 96*I 98 I 95*I 89*AI 96*AI6 95*AI 99 H 99 I 99 AI 94*I11 97 H 96*I 106 A 97 H 95 H16 97 I 94*H 91*H 96 I 94*H

Chicago District Golf Association - www.cdga.org

Ryan Koop

2013 GOLD MEMBER


copyright 2013

Agenda

3

•Background - Cloud and networking experience•Cloud Market and Players•Moore’s Law and Cloud WAN Costs• Traditional WAN vs Cloud WAN•Case Studies - Customers Building Cloud WANs•My CloudWAN

@cohesiveFT#LASCON


copyright 2013

Cloud Market

4

@cohesiveFT#LASCON


<Disk ovf:allocationUnits="1073741824" ovf:capacity="8" ovf:capacityAllocationUnits="byte * 2^30" ovf:diskId="vmdisk1"

ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized"

ovf:populatedSize="1167196160"/> <Disk ovf:allocationUnits="1048576" ovf:capacity="1"

ovf:capacityAllocationUnits="byte * 2^20" ovf:diskId="vmdisk2" ovf:fileRef="file2" ovf:format="http://www.vmware.com/interfaces/

specifications/vmdk.html#streamOptimized" ovf:populatedSize="0"/>

copyright 2013

Where we fit• Cohesive Flexible Technologies Corp. (CohesiveFT)

• Founded in 2006 by IT and capital markets professionals

• First product launched in 2007 with multiple product revisions each year

• Customers have secured 80M virtual device hours in public, private, & hybrid clouds

• Offices in Chicago, London, Belo Horizonte and Palo Alto

• Connect apps to cloud IaaS and provide network interoperability and virtual image interoperability

• Software defined network (SDN) enables applications to be deployed to or across any public or private cloud

• Enterprise image management allows customers to import, transform and deliver their server images to the cloud

• Enable enterprises to run business operations in the cloud helping migrate and extend both customer facing systems and internal operational platforms

5

What We Do Who We Are


copyright 2013

Even your mom knows about cloud

6

ComputeStorage

Network

PaaS

SaaS

IaaS Google


copyright 2013

Buzz word Bingo!• Overlay Networking - CohesiveFT term for NFV, 5+ years old• Network Function Virtualization (NFV) - new hotness

- Network independent from hardware runs in virtual layer- Isolation between the virtual network, physical network adn control plane- Programmatic networking provisioning and control

• Software Defined Networking (SDN) - Capital B Billion- Networks that can be configured through an API - OpenFlow (Nicira) pure view is separation of a

control plane from forwarding plane- What is managing the network vs what moves

the packets around the network

7

OpenFlow

SDN

NFV

@cohesiveFT#LASCON


copyright 2013

(Network) Control is KingApplication-Centric SDN

• Help me run my business in the cloud NOW.

• Extends control of application owner from data center to cloud

Infrastructure SDN• Optimizes service provider

data center operations

ApplicationLayer

VirtualLayer

Layer 3

Layer 2

Layer 1

Layer 0

Layer 7

Layer 6

Layer 5

Layer 4

Limit of user access, control and visibility

Application O

wner

Clo

ud O

wne

r

Hardware Layer

VNS3

Alcatel

@cohesiveFT#LASCON

7Thursday, October 24, 13

copyright 2013 8

No security without NFV

Firewall

Dynamic & Scriptable SDNProtocol Redistributor

IPsec/SSL VPN concentrator

Router Switch

NFV

Hybrid virtual device able to

extend to multiple sites

Overlay Network Appliances • Allow control, mobility & agility by separating network location and network identity • Control over end to end encryption, IP addressing and network topology


copyright 2013

Defense in Depth

10

Cloud networks combine with user & provider firewalls and isolation features to create a “security lattice” with layers of security.Some key security elements must be controlled by the user but separate from the provider.

Provider Owned/Provider ControlledProvider Owned/User ControlledVNS3 - User Owned/User ControlledUser Owned/User Controlled


copyright 2013

Customer Data CenterCustomer Remote Office

VNS3 1

VNS3 2

VNS3 3

VNS3 Overlay NetworkSubnet: 172.31.0.0/22

Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F

Active IPsec Tunnel Active IPsec Tunnel

Failover IPsec Tunnel192.168.4.0/24 - 172.31.1.0/24192.168.3.0/24 - 172.31.1.0/24

Firewall / IPsec Cisco 5505

Firewall / IPsec Cisco 5585

Data Center ServerData Center ServerLAN IP: 192.168.4.50 LAN IP: 192.168.4.100User Workstation

LAN IP: 192.168.3.100User WorkstationLAN IP: 192.168.3.50

Chicago, IL USARemote Subnet: 192.168.3.0/24

London, UKRemote Subnet: 192.168.4.0/24

Public IP: 184.73.174.250Overlay IP: 172.31.1.250



Peered Peered

US East 1 US West

Overlay Networks allow federated and hybrid clouds


copyright 2013

Cloud Players

12

@cohesiveFT#LASCON


copyright 2013

Colo & Managed Hosting Locations

13

Locations as reported by providers @cohesiveFT#LASCON


copyright 2013

Public Cloud Locations

14

Locations as reported by providers

Cloud

@cohesiveFT#LASCON


copyright 2013

Economics of Distributed Computing Today

15

@cohesiveFT#LASCON


copyright 2013

Compute locally or reach across the network to the public cloud?Jim Gray’s "Distributed Computing Economics" Updated for 2013

16

WANBandwidth/mo. CPU Hours (All Cores) Disk

Items in 2003Cost 2003

$1 buys in 2003

Item in 2008

Cost in 2008$1 buys in 2008

Cost/Performance Improvement

Cost to Rent $1 worth on AWS in 2008

Cost to Rent $1 worth on AWS in 2013

2008 to 2013 savings

1Mbps WAN Link 2 Ghz CPU, 2GB DRAM 200 GB (50MB/s)$100/mo. $2,000 $200

1GB 8 CPU hours 1GB

100 Mbps WAN link2 GHz, 2 socket, 4 cores/

socket, 4GB DRAM1TB disk, 115MB/sustained transfer

$3,600/mo. $1,000 $1002.7GB 128 CPU hours 10GB

2.7x 16x 10x

$0.27-$0.40 $2.56 $1.20-$1.50

$0.15-$0.36 $0.832 (m1.xlarge spot price x 16 hours)

$1 for EBS $0.95 for S3

10%-44% 67% 21%-33%[1] Jim Gray, Distributed Computing Economics (Redmond: Microsoft Research), 63–68. Available from: http://goo.gl/NvQ7OX.[2]Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy H. Katz, Andrew Konwinski, Gunho Lee, David A. Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia, Above the Clouds: A Berkeley View of Cloud (University of California, Berkeley: EECS Department), 12-14. Available from: http://goo.gl/veBurD.

1

1

1

2

2

2

2


http://goo.gl/NvQ7OX

http://goo.gl/NvQ7OX

http://goo.gl/veBurD

http://goo.gl/veBurD

copyright 2013

Traditional vs Cloud WANThere is plenty of cloud fluff, but the decision usually comes down to the following:

1. hardware refresh cycle2. project budget3. organizational expertise4. MBOs5. revenue targets6. job function/role

17

@cohesiveFT#LASCON


copyright 2013

Traditional vs. Cloud WAN

18

@cohesiveFT#LASCON


copyright 2013

Traditional WAN: Points of Presence

19

Step 1: Shop for real estate Step 2: Become an expert in facilitiesmanagement, A/C, construction, doorlocks, etc

Step 3: Hire a team of 24x7x365 security guards

-OR-Sign deals with Telco carriers

• Want more POPs?- Start again at step 1

source: DatacenterKnowledge.com

source: Google.com


copyright 2013

Cloud WAN: Points of Presence

20

Cloud

Step 1: Sign up for a cloud account Step 2: Enter credit card info Step 3: Configure & launch in the region of your choice

•Want more POPs? - Change your settings


copyright 2013

Traditional WAN: Network Kit

21

Step 1: Call your hardware vendor Step 2: Sign another contractStep 3: Hire staff to install, test andconnect new hardware in your data centers

-OR-Sign deals with Telco carriers

• Want more compute?- Prepare for budget shock, then start at 1

source: Cisco.com

source: Colourbox.com


copyright 2013

Cloud WAN: Network Capacity Step 1: Sign up for a cloud account Step 2: Enter credit card info Step 3: Configure & launch instances of your choice

•Want more compute capacity?- Add more VMs

22

Cloud


copyright 2013

Step 1: Shop for Telco carrier/vendors Step 2: Sales Cycle Step 3: Sign long-term, lock-inagreements with vendors

•Want more network capacity?- Call up your vendor’s sales team

Traditional WAN: Leased Lines

23

Leased lines

TelcoNetwork

Regional Office UK

LAN

USAHead Office

Firewall / IPsec

Data Center Server

LAN

Data Center

USA

Data Center Server

LAN

@cohesiveFT#LASCON


copyright 2013

Cloud WAN: Network

24

Cloud

Step 1: Sign up for a cloud account Step 2: Enter credit card info Step 3: Configure & launch in the network of your choice

•Want more network capacity?- Change your settings


copyright 2013

Customer Use Cases

25

@cohesiveFT#LASCON


copyright 2013

Connecting mobile banking customers to a common cloud-based infrastructure.

Highlights:

Online & mobile banking company needed connectivity solution to meet regulatory requirements.

Financial customers could use a "security lattice" approach, encrypting their critical data in motion

Enabled customer to serve end customers from a common platform.

Multitenancy model allowed customer to pass along cloud economies of scale.

Multi-tenant cloud-based partner network

26

Data Center Server

Encrypted IPsec Tunnels

Home Network USA

Firewall / IPsec

Customer Data Center 2

USA


UK

Data Center Server

VNS3

Virtual Machine

Mobile Banking Platform

Cloud Region A Cloud Region B Cloud Region C Cloud Region D

Data Center Server

Customer Data Center N

USA


UK

Data Center Server Data Center Server


copyright 2013

Security Firm extended offerings with global cloud points of presence.

Highlights:

Global reach for products and global redundancy for security.

Needed secure connections to existing data centers and networks.

Access critical infrastructure “in region” without delays or capital of physical resources.

Offered global redundancy at dramatically lower cost than traditional infrastructure.

Cloud WAN for global reach and redundancy

Data Center

Active IPsec Tunnels

Frankfurt, Germany

Firewall / IPsec

Data Center Server

Customer 2Tokyo, Japan

Workstations

APAC-1

Cloud W

AN

Peered

US East Coast

VNS3Manager

Peered

Customer 1New York USA

OfficeLondon, UK

Data Center Server Data Center Server

VNS3Manager

VNS3Manager

Netherlands


copyright 2013

Cloud WAN connectivity without the expensive assets or contracts.

Highlights:

Global reach for products and global redundancy for security.

Needed secure connections to existing data centers and networks.

Access critical infrastructure “in region” without physical resources.

Offered global redundancy at dramatically lower cost.

Data Center


New York, USA

Firewall / IPsec

Data Center Server

Medical Office 2

San Francisco, USA

US-west-1

Cloud W

AN

Peered

VNS3Manager

Peered

Medical Office 1

CustomerHospitalBoston, USA

Data Center Server

VNS3Manager

VNS3Manager

US-east-1

Salt Lake City, USA

Private Cloud

SaaS portal SaaS portal

Pharmaceutical system federates infrastructure


copyright 2013

Cloud WAN connectivity without the expensive assets or contracts.

Highlights:

Africa has over 700 million mobile phone users, but SMS is separated by provider

Customer needed to integrate multiple national carriers’ infrastructure on “virtual" LAN

Build new virtual infrastructure without the capital outlay and physical constraints

Overlay network and public cloud let them compete like a global, connected telco giant

Federated SMS Network Patchworks in Africa

29

Cloud W

AN

SMS Advertiser’s Platform

Data Center

Lagos, Nigeria

Firewall / IPsec

Data Center Server

Johannesburg, South Africa

Data Center Server

Vodafone Customer

Accra, Ghana

MTM Customer

Accra, Ghana

Nigeria Nigeria Ghana Uganda Uganda

Public CloudPublic Cloud

VNS3Manager


copyright 2013

Coming Soon

32

@cohesiveFT#LASCON

Tin Can TelcoBig Brother and Telemarketers are not invited

source: charlespaolino.wordpress.com


http://charlespaolino.wordpress.com/2010/10/

http://charlespaolino.wordpress.com/2010/10/

copyright 2013

Questions?

CohesiveFT AmericasChicago, IL [email protected] 888.444.3962

CohesiveFT EuropeLondon, UK [email protected] +44 208 144 0156

33

cohesiveft.com/blogcloudcamp.org


mailto:[email protected]




copyright 2013

Problem:

• Enterprise software uses multicast protocols for service election and service discovery.

• Many public cloud providers block multicast protocols at the user layer.

Cloud Address Control

VNS3 Solution:

• Control static addressing of your cloud servers

• Local Area Network (LAN) address extension to the cloud

• Servers and Topologies behave as though the are running locally

• Application centric network is portable

35

Customer Data Center

VNS3 Manager

Standard IPsec Tunnel

Firewall / IPsec Device

Data Center Servers

Overlay IP: 172.31.11.xx

Public CloudRegion 1

LAN

Cloud Server Cloud Server

Overlay Network

IP: 192.168.1.xx

@cohesiveFT #LASCON


copyright 2013

VNS3 Solution:

• Send multicast traffic via VNS3 overlay network before it is rejected by underlying network infrastructure.

• Control all your protocols with VNS3.

Problem:

• Enterprise software uses multicast protocols for service election and service discovery.

• Many public cloud providers block multicast protocols at the user layer.

Cloud Protocol Control: Multicast




Data Center Servers

LAN


VNS3 Manager


Overlay Network

36

@cohesiveFT #LASCON


copyright 2013

Cloud Security Control: IPsec Tunneling

VNS3 Solution:

• Extend your network with industry standard IPsec.

• Use your existing network security appliances (Cisco, Juniper, Netscreen, SonicWall).

• Use your existing secure communication methods/practices the same as you currently connect offices, data centers or partners/customers.

Problem: Public Cloud is accessed via public internet.

Data Center


Data Center Servers


LAN


VNS3 Manager


Overlay Network

37

@cohesiveFT #LASCON


copyright 2013

VNS3 Solution:

• VNS3 Manager enables multiple IPsec connections to a cloud-based overlay network segment.

• Serves as user-controlled, virtualized switch/router (uSwitch) inside the provider cloud.

• Cloud deployed servers can communicate with multiple IPsec gateways via endpoint-to-endpoint encrypted connections.

Cloud Security Control: Multiple IPsec

Problem: Cloud providers limit the number of IPsec connections.

Customer Site N


Multiple IPsec Devices

Cloud Server


Customer Site 2

Customer Site 1

Cloud Server

VNS3 Manager

Overlay Network

38

@cohesiveFT #LASCON


copyright 2013

Use Existing Monitoring Tools

VNS3 Solution:

• Use your existing monitoring tools for cloud deployments.

• VNS3 allows you to use your existing NOC to monitor and manage devices in the data center and the cloud.

Problem: Cloud deployments cannot be connected to existing network operations center.



Data Center Servers

Virtual Network

Cloud Server


Overlay Network

Data Center Servers

Cloud Server

VNS3 Manager


39

@cohesiveFT #LASCON


copyright 2013

Customer-Partner Networks in Public Cloud

VNS3 Solution:

• Industry standard secure connectivity to isolated servers in public cloud.

• Data in motion in the public cloud is encrypted.

Problem: Securely connect customers, partners or branches to specific servers in shared infrastructure.

Partner Data CenterEMEA

Customer 2USA

Customer 1APAC


Firewall / IPsec

Customer - Partner Network

Phsyical Data CenterPrivate Cloud ServerNode

Cloud Deployment


VNS3 Manager

40

@cohesiveFT #LASCON


copyright 2013

VNS3 is a combination of 6 device types

Firewall

Dynamic & Scriptable SDN

Protocol Redistributor

IPsec/SSL VPN concentrator

Router Switch

VNS3

Hybrid virtual device able to

extend to multiple sites

Leading Application SDN (Software Defined Network) Appliance • Allows control, mobility & agility by separating network location and network identity • Control over end to end encryption, IP addressing and network topology


"How overlay networks can make public clouds your global WAN" by Ryan Koop of CohesiveFT at LASCON

Technology

Transcript of "How overlay networks can make public clouds your global WAN" by Ryan Koop of CohesiveFT at LASCON