The presentation "How overlay networks can make public clouds your global WAN" presented by Ryan Koop on Oct 24, 2013 at LASCON in Austin, TX.
Enterprises, organizations and governments are realizing the benefits of cloud flexibility, cost savings, scalability and connectivity. Yet the traditional approach focuses too much on the underlying infrastructure, instead of the applications.
So who is making solutions for the people who work at the application layer? Are software-defined things secure?
With a focus on application-layer integration, governance and security, overlay networks let developers, and the enterprise apps they work with, use the public clouds as a global WAN network, not just extra storage.
Developers can build on top of overlay networking to extend traditional networks to the cloud with added security such as encryption, IPsec connections, VLANs and VPNs into the public cloud networks.
Prime examples are the previously cost-prohibitive projects can now use public clouds as global points of presence to create cloud WAN to partners and customers.
"How overlay networks can make public clouds your global WAN" by Ryan Koop of CohesiveFT at LASCON
1. copyright 2013
How overlay networks can
make public clouds your
global WAN
Ryan Koop, CohesiveFT
1
@cohesiveFT
#LASCON
Thursday, October 24, 13
2. copyright 2013
Oh, hello
2
During Business Hours++
Ryan Koop
@ryankoop
Director of Product & Marketing, Co-founder
Ryan is responsible for product development and manages teams for public
relations, international events, and content marketing. His role spans the
technical product development, customer support, business development
and thought leadership needs of a growing company.
Before CohesiveFT, Ryan worked at a trading platform software company
in the US Derivative Markets.
After Hours
NAME Ryan Koop
CLUB Royal Fox CC - Men
LOCAL# 2024 Assoc# 20005661
EFFECTIVE DATE 10/15/2013
SCORES POSTED 12 USGA HDC INDEX
18.9
SCORE HISTORY - MOST RECENT FIRST
1 96*I 98 I 95*I 89*AI 96*AI
6 95*AI 99 H 99 I 99 AI 94*I
11 97 H 96*I 106 A 97 H 95 H
16 97 I 94*H 91*H 96 I 94*H
Chicago District Golf Association - www.cdga.org
Ryan Koop
2013 GOLD MEMBER
Thursday, October 24, 13
3. copyright 2013
Agenda
3
•Background - Cloud and networking experience
•Cloud Market and Players
•Moore’s Law and Cloud WAN Costs
• Traditional WAN vs Cloud WAN
•Case Studies - Customers Building Cloud WANs
•My CloudWAN
@cohesiveFT
#LASCON
Thursday, October 24, 13
5. copyright 2013
Where we fit
• Cohesive FlexibleTechnologies Corp. (CohesiveFT)
• Founded in 2006 by IT and capital markets
professionals
• First product launched in 2007 with multiple
product revisions each year
• Customers have secured 80M virtual device
hours in public, private, & hybrid clouds
• Offices in Chicago, London, Belo Horizonte and
Palo Alto
• Connect apps to cloud IaaS and provide network
interoperability and virtual image interoperability
• Software defined network (SDN) enables
applications to be deployed to or across any public
or private cloud
• Enterprise image management allows customers to
import, transform and deliver their server images
to the cloud
• Enable enterprises to run business operations in
the cloud helping migrate and extend both
customer facing systems and internal operational
platforms
5
What We DoWho We Are
Thursday, October 24, 13
6. copyright 2013
Even your mom knows about cloud
6
Compute
Storage
Network
PaaS
SaaS
IaaS Google
Thursday, October 24, 13
7. copyright 2013
Buzz word Bingo!
• Overlay Networking - CohesiveFT term for NFV, 5+ years old
• Network FunctionVirtualization (NFV) - new hotness
- Network independent from hardware runs in virtual layer
- Isolation between the virtual network, physical network adn control plane
- Programmatic networking provisioning and control
• Software Defined Networking (SDN) - Capital B Billion
- Networks that can be configured through an API
- OpenFlow (Nicira) pure view is separation of a
control plane from forwarding plane
- What is managing the network vs what moves
the packets around the network
7
OpenFlow
SDN
NFV
@cohesiveFT
#LASCON
Thursday, October 24, 13
8. copyright 2013
(Network) Control is King
Application-Centric SDN
• Help me run my business in the
cloud NOW.
• Extends control of application
owner from data center to cloud
Infrastructure SDN
• Optimizes service provider
data center operations
Application
Layer
Virtual
Layer
Layer 3
Layer 2
Layer 1
Layer 0
Layer 7
Layer 6
Layer 5
Layer 4
Limit of user access, control and visibility
ApplicationOwner
CloudOwner
Hardware
Layer
VNS3
Alcatel
@cohesiveFT
#LASCON
7
Thursday, October 24, 13
9. copyright 2013 8
No security without NFV
Firewall
Dynamic & Scriptable
SDNProtocol Redistributor
IPsec/SSLVPN
concentrator
Router Switch
NFV
Hybrid virtual
device able to
extend to
multiple sites
Overlay Network Appliances
• Allow control, mobility & agility by separating network location and network identity
• Control over end to end encryption, IP addressing and network topology
Thursday, October 24, 13
10. copyright 2013
Defense in Depth
10
Cloud networks combine with user & provider firewalls
and isolation features to create a “security lattice” with
layers of security.
Some key security elements must be controlled
by the user but separate from
the provider.
Provider Owned/Provider Controlled
Provider Owned/User Controlled
VNS3 - User Owned/User Controlled
User Owned/User Controlled
Thursday, October 24, 13
11. copyright 2013
Customer Data CenterCustomer Remote Office
VNS3 1
VNS3 2
VNS3 3
VNS3 Overlay Network
Subnet: 172.31.0.0/22
Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21
Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F
Active IPsec Tunnel Active IPsec Tunnel
Failover IPsecTunnel
192.168.4.0/24 - 172.31.1.0/24192.168.3.0/24 - 172.31.1.0/24
Firewall / IPsec
Cisco 5505
Firewall / IPsec
Cisco 5585
Data Center ServerData Center Server
LAN IP: 192.168.4.50 LAN IP: 192.168.4.100User Workstation
LAN IP: 192.168.3.100
User Workstation
LAN IP: 192.168.3.50
Chicago, IL USA
Remote Subnet: 192.168.3.0/24
London, UK
Remote Subnet: 192.168.4.0/24
Public IP: 184.73.174.250
Overlay IP: 172.31.1.250
Public IP: 54.246.224.156
Overlay IP: 172.31.1.246
Public IP: 192.158.29.143
Overlay IP: 172.31.1.242
Peered Peered
US East 1 US West
Overlay Networks allow federated and hybrid clouds
11
Thursday, October 24, 13
16. copyright 2013
Compute locally or reach across the network to the public cloud?
Jim Gray’s "Distributed Computing Economics" Updated for 2013
16
WAN
Bandwidth/mo.
CPU Hours (All Cores) Disk
Items in 2003
Cost 2003
$1 buys in 2003
Item in 2008
Cost in 2008
$1 buys in 2008
Cost/Performance
Improvement
Cost to Rent $1 worth
on AWS in 2008
Cost to Rent $1 worth
on AWS in 2013
2008 to 2013 savings
1Mbps WAN Link 2 Ghz CPU, 2GB DRAM 200 GB (50MB/s)
$100/mo. $2,000 $200
1GB 8 CPU hours 1GB
100 Mbps WAN link
2 GHz, 2 socket, 4 cores/
socket, 4GB DRAM
1TB disk, 115MB/
sustained transfer
$3,600/mo. $1,000 $100
2.7GB 128 CPU hours 10GB
2.7x 16x 10x
$0.27-$0.40 $2.56 $1.20-$1.50
$0.15-$0.36
$0.832 (m1.xlarge spot
price x 16 hours)
$1 for EBS $0.95 for S3
10%-44% 67% 21%-33%
[1] Jim Gray, Distributed Computing Economics (Redmond: Microsoft Research), 63–68. Available from: http://goo.gl/NvQ7OX.
[2]Michael Armbrust,Armando Fox, Rean Griffith,Anthony D. Joseph, Randy H. Katz,Andrew Konwinski, Gunho Lee, David A. Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia, Above the Clouds:A BerkeleyView of Cloud (University of California, Berkeley: EECS Department), 12-14. Available from: http://goo.gl/veBurD.
1
1
1
2
2
2
2
Thursday, October 24, 13
17. copyright 2013
Traditional vs Cloud WAN
There is plenty of cloud fluff, but the decision
usually comes down to the following:
1. hardware refresh cycle
2. project budget
3. organizational expertise
4. MBOs
5. revenue targets
6. job function/role
17
@cohesiveFT
#LASCON
Thursday, October 24, 13
19. copyright 2013
Traditional WAN: Points of Presence
19
Step 1: Shop for real estate
Step 2: Become an expert in facilities
management,A/C, construction, door
locks, etc
Step 3: Hire a team of 24x7x365
security guards
-OR-
Sign deals withTelco carriers
• Want more POPs?
- Start again at step 1
source: DatacenterKnowledge.com
source: Google.com
Thursday, October 24, 13
20. copyright 2013
Cloud WAN: Points of Presence
20
Cloud
Step 1: Sign up for a cloud account
Step 2: Enter credit card info
Step 3: Configure & launch in the region
of your choice
•Want more POPs?
- Change your settings
Thursday, October 24, 13
21. copyright 2013
Traditional WAN: Network Kit
21
Step 1: Call your hardware vendor
Step 2: Sign another contract
Step 3: Hire staff to install, test and
connect new hardware in your
data centers
-OR-
Sign deals withTelco carriers
• Want more compute?
- Prepare for budget shock, then start at 1
source: Cisco.com
source: Colourbox.com
Thursday, October 24, 13
22. copyright 2013
Cloud WAN: Network Capacity
Step 1: Sign up for a cloud account
Step 2: Enter credit card info
Step 3: Configure & launch instances
of your choice
•Want more compute
capacity?
- Add moreVMs
22
Cloud
Thursday, October 24, 13
23. copyright 2013
Step 1: Shop forTelco carrier/vendors
Step 2: Sales Cycle
Step 3: Sign long-term, lock-in
agreements with vendors
•Want more network capacity?
- Call up your vendor’s sales team
Traditional WAN: Leased Lines
23
Leased lines
Telco
Network
Regional Office
UK
LAN
USA
Head Office
Firewall / IPsec
Data Center Server
LAN
Data Center
USA
Data Center Server
LAN
@cohesiveFT
#LASCON
Thursday, October 24, 13
24. copyright 2013
Cloud WAN: Network
24
Cloud
Step 1: Sign up for a cloud account
Step 2: Enter credit card info
Step 3: Configure & launch in the network
of your choice
•Want more network
capacity?
- Change your settings
Thursday, October 24, 13
26. copyright 2013
Connecting mobile
banking customers to
a common cloud-
based infrastructure.
Highlights:
Online & mobile banking company needed
connectivity solution to meet regulatory
requirements.
Financial customers could use a "security
lattice" approach, encrypting their critical
data in motion
Enabled customer to serve end customers
from a common platform.
Multitenancy model allowed customer to
pass along cloud economies of scale.
Multi-tenant cloud-based partner network
26
Data Center Server
Encrypted IPsec Tunnels
Home Network
USA
Firewall / IPsec
Customer Data
Center 2
USA
Customer Data
Center 1
UK
Data Center Server
VNS3
Virtual Machine
Mobile Banking Platform
Cloud Region A Cloud Region B Cloud Region C Cloud Region D
Data Center Server
Customer Data
Center N
USA
Customer Data
Center 3
UK
Data Center Server Data Center Server
Thursday, October 24, 13
27. copyright 2013
Security Firm
extended offerings
with global cloud
points of presence.
Highlights:
Global reach for products and global
redundancy for security.
Needed secure connections to
existing data centers and networks.
Access critical infrastructure “in
region” without delays or capital of
physical resources.
Offered global redundancy at
dramatically lower cost than
traditional infrastructure.
Cloud WAN for global reach and redundancy
Data Center
Active IPsec Tunnels
Frankfurt, Germany
Firewall / IPsec
Data Center Server
Customer 2
Tokyo, Japan
Workstations
APAC-1
CloudWAN
Peered
US East Coast
VNS3
Manager
Peered
Customer 1
NewYork USA
Office
London, UK
Data Center Server Data Center Server
VNS3
Manager
VNS3
Manager
Netherlands
27
Thursday, October 24, 13
28. copyright 2013
Cloud WAN
connectivity without
the expensive assets
or contracts.
Highlights:
Global reach for products and global
redundancy for security.
Needed secure connections to existing
data centers and networks.
Access critical infrastructure “in region”
without physical resources.
Offered global redundancy at dramatically
lower cost.
Data Center
Active IPsec Tunnels
NewYork, USA
Firewall / IPsec
Data Center Server
Medical
Office 2
San Francisco, USA
US-west-1
CloudWAN
Peered
VNS3
Manager
Peered
Medical
Office 1
Customer
Hospital
Boston, USA
Data Center Server
VNS3
Manager
VNS3
Manager
US-east-1
Salt Lake City, USA
Private Cloud
SaaS portal SaaS portal
Pharmaceutical system federates infrastructure
28
Thursday, October 24, 13
29. copyright 2013
Cloud WAN
connectivity without
the expensive assets or
contracts.
Highlights:
Africa has over 700 million mobile phone
users, but SMS is separated by provider
Customer needed to integrate multiple
national carriers’ infrastructure on “virtual"
LAN
Build new virtual infrastructure without the
capital outlay and physical constraints
Overlay network and public cloud let them
compete like a global, connected telco giant
Federated SMS Network Patchworks in Africa
29
CloudWAN
SMS Advertiser’s
Platform
Data Center
Lagos, Nigeria
Firewall / IPsec
Data Center Server
Johannesburg, South Africa
Data Center Server
Vodafone
Customer
Accra, Ghana
MTM
Customer
Accra, Ghana
Nigeria Nigeria Ghana Uganda Uganda
Public CloudPublic Cloud
VNS3
Manager
Thursday, October 24, 13
35. copyright 2013
Problem:
• Enterprise software uses multicast protocols for service
election and service discovery.
• Many public cloud providers block multicast protocols at
the user layer.
Cloud Address Control
VNS3 Solution:
• Control static addressing of your cloud servers
• Local Area Network (LAN) address extension to the cloud
• Servers andTopologies behave as though the are running
locally
• Application centric network is portable
35
Customer Data Center
VNS3 Manager
Standard IPsec Tunnel
Firewall / IPsec Device
Data Center Servers
Overlay IP: 172.31.11.xx
Public Cloud
Region 1
LAN
Cloud Server Cloud Server
Overlay Network
IP: 192.168.1.xx
@cohesiveFT #LASCON
Thursday, October 24, 13
36. copyright 2013
VNS3 Solution:
• Send multicast traffic viaVNS3 overlay network before it is
rejected by underlying network infrastructure.
• Control all your protocols withVNS3.
Problem:
• Enterprise software uses multicast protocols for service
election and service discovery.
• Many public cloud providers block multicast protocols at
the user layer.
Cloud Protocol Control: Multicast
Standard IPsec Tunnel
Public Cloud
Region 1
Customer Data Center
Data Center Servers
LAN
Cloud Server Cloud Server
VNS3 Manager
Firewall / IPsec Device
Overlay Network
36
@cohesiveFT #LASCON
Thursday, October 24, 13
37. copyright 2013
Cloud Security Control: IPsecTunneling
VNS3 Solution:
• Extend your network with industry standard IPsec.
• Use your existing network security appliances (Cisco,
Juniper, Netscreen, SonicWall).
• Use your existing secure communication methods/practices
the same as you currently connect offices, data centers or
partners/customers.
Problem: Public Cloud is accessed via public internet.
Data Center
Standard IPsec Tunnel
Data Center Servers
Public Cloud
Region 1
LAN
Cloud Server Cloud Server
VNS3 Manager
Firewall / IPsec Device
Overlay Network
37
@cohesiveFT #LASCON
Thursday, October 24, 13
38. copyright 2013
VNS3 Solution:
• VNS3 Manager enables multiple IPsec connections to a cloud-
based overlay network segment.
• Serves as user-controlled, virtualized switch/router (uSwitch)
inside the provider cloud.
• Cloud deployed servers can communicate with multiple IPsec
gateways via endpoint-to-endpoint encrypted connections.
Cloud Security Control: Multiple IPsec
Problem: Cloud providers limit the number of
IPsec connections.
Customer
Site N
Standard IPsec Tunnel
Multiple
IPsec Devices
Cloud Server
Public Cloud
Region 1
Customer
Site 2
Customer
Site 1
Cloud Server
VNS3 Manager
Overlay Network
38
@cohesiveFT #LASCON
Thursday, October 24, 13
39. copyright 2013
Use Existing MonitoringTools
VNS3 Solution:
• Use your existing monitoring tools for cloud deployments.
• VNS3 allows you to use your existing NOC to monitor
and manage devices in the data center and the cloud.
Problem: Cloud deployments cannot be connected
to existing network operations center.
Customer Data Center
Standard IPsec Tunnel
Data Center Servers
Virtual Network
Cloud Server
Public Cloud
Region 1
Overlay Network
Data Center Servers
Cloud Server
VNS3 Manager
Firewall / IPsec Device
39
@cohesiveFT #LASCON
Thursday, October 24, 13
40. copyright 2013
Customer-Partner Networks in Public Cloud
VNS3 Solution:
• Industry standard secure connectivity to isolated
servers in public cloud.
• Data in motion in the public cloud is encrypted.
Problem: Securely connect customers, partners or
branches to specific servers in shared infrastructure.
Partner Data Center
EMEA
Customer 2
USA
Customer 1
APAC
Active IPsec Tunnels
Firewall / IPsec
Customer - Partner Network
Phsyical Data CenterPrivate Cloud Server
Node
Cloud
Deployment
Public Cloud
Region 1
VNS3 Manager
40
@cohesiveFT #LASCON
Thursday, October 24, 13
41. copyright 2013
VNS3 is a combination of 6 device types
Firewall
Dynamic & Scriptable
SDN
Protocol
Redistributor
IPsec/SSLVPN
concentrator
Router Switch
VNS3
Hybrid virtual
device able to
extend to
multiple sites
Leading Application SDN (Software Defined Network) Appliance
• Allows control, mobility & agility by separating network location and network identity
• Control over end to end encryption, IP addressing and network topology
41
Thursday, October 24, 13