Demo Day: Extending the WAN into AWS with SDWAN
Extending your WAN to the public cloud presents unique challenges to Enterprise IT operators regarding the management of WAN connectivity to ensure optimal service, performance and security. In the final part of our webinar series, which is focused on SD-WAN and the Cloud, Viptela expert David Klebanov will demonstrate how simple it is to extend your WAN to your IaaS workloads, specifically Amazon.
This demonstration will showcase:
- Simplicity of installation of Viptela vEdge Cloud
- Ease of policy configuration of your IaaS endpoint
- Utilization of multiple transport types for your Cloud workloads
- Value of single-pane-of-glass management of your WAN
Senior infrastructure technologies professional with over 15 years of extensive experience in designing and deploying complex multidisciplinary networking environments.
Courtney: And, again, extending Wide Area Network into AWS with SD-WAN. Our presenter here, David Klebanov, is coming to us as a senior infrastructure technology professional, with over 15 years of extensive experience in designing and deploying complex multidisciplinary network environments. We’re going to go through a demonstration that showcases [unintelligible 00:00:25] of installation of [unintelligible] cloud, and then, of course, the importance of AWS as they’re continuing their expansion into the cloud, and where we [go across] our SD-WAN extension. Great, take it away.
David: All right, thank you very much, Courtney. So, and thank you very much, everybody, for attending. So today we’re going to talk about AWS and how Software Define Wide Area Network allows you to expand your [unintelligible 00:00:56] footprint from your traditionally on-prem data centers, and start leveraging more aggressively cloud. So many of you are already on the journey to…for cloud adoption, so for the next 20 minutes or so we’re going to talk about what are the options for you to adopt the cloud where AWS plays a role. Of course, a central role. And then we’re going to walk through three different use cases, and then demonstrate one of the use cases.
So as we mentioned, traditional on-premise data centers have been the way that enterprise workloads have been traditionally positioned. That’s where your computer infrastructure is, that’s where your – basically your crown jewels of your organizational IT. So as companies are realizing that cloud provides new opportunities for managing better the workload resources and having better user experience, what actually happens is that those workloads are transitioning into either a private…from private data center clouds into the public clouds, or clouds maybe that integrate both the private and public clouds, creating, effectively, a hybrid cloud. And those…That approach is well-known as an infrastructure, as a serviced, and that’s, of course, where Amazon, Microsoft Azure and Google Compute Cloud play a role. This is your Infrastructure as a Service offering from those service providers.
The second direction that organizational workloads are taking is Software as a Service, where you are consuming cloud application resources. And, of course, the two most prominent examples are the Office 365, and Salesforce, and SAP, Dropbox, Box. These are very popular cloud application services that are consumed as Software as a Service. So instead of hosting those in your on-premise data centers, you can now consume those as a cloud application coming to you from basically the internet. So these are the two directions that the on-premise data center workloads are sort of shifting to.
Now, where does SD-WAN help, and how can Viptela help you on this journey? So we’re going to look at the two cloud ready WAN approaches. The first one, let’s talk about Infrastructure as a Service where your organizational workloads can now be residing in the cloud [compute] environment such as Amazon or Microsoft Azure.
So the approach that Viptela takes is allowing you to extend your SD-WAN fabric, you secure Software-Defined Wide Area Network fabric, straight into those public clouds, into the AWS or Microsoft Azure, by positioning Viptela [ Edge cloud appliances, which is the [unintelligible 00:04:15] of the SD-WAN appliance straight in those, and [instantiating] them straight in those cloud environments.
What it creates, it creates an approach where you have a single cohesive fabric that extends between your remotes offices, branches, campuses, on-prem data center, and now into the cloud data center, providing you, basically, the same services that you can experience when operating an SD-WAN environment, but now all the same services are also available and extended into the cloud computing environment. And centralized management is, of course, a very, very important piece of that infrastructure, where you can centrally manage how traffic is extended into your Amazon Web Services, for example. Bringing the Amazon Web Services, [unintelligible 00:05:06] cloud in a zero touch and zero trust manner is something that is inherent in a fabric approach.
And at the end, what you create here, is you create an enterprise -grade SD-WAN solution that allows you to deliver [unintelligible] in applications to through the workloads that have migrated to the Amazon Web Services. So should you have multiple ways to connect to those workloads, an SD-WAN fabric is going to determine the optimal way, or the optimal transport, or optimal transports, if there’s more than one, in an active fashion to deliver the traffic from your branches or on-perm data centers into the workloads that are now residing on AWS.
So in addition to the application SLA you are also looking at a very expensive way of securing that infrastructure. And by securing the infrastructure we mean securing the infrastructure elements themselves, such the vEdge cloud appliances themselves; securing the transport to get to those vEdge cloud appliances, which would be through highly encrypted secure channels; and providing man application security, which is the way that you would provide security services for the traffic that is…the application traffic that actually goes over the channel.
Now, in addition to the… We see some people are saying that they do not see the PowerPoint. I’m not quite sure what that means, because we are sharing the PowerPoint. Maybe it’s a good…good time to ask somebody to – if you guys don’t see the PowerPoint – okay. All right. It’s no hiccup. So, actually – okay, it was just one participant.
So an enterprise-grade SD-WAN also means an additional security service, such as end-to-end segmentation. So as your workloads are segmented in your office, in your branch, in your data center, in your campus, that segmentation can now be extended into the public clouds as well. The ability to deliver [multi-topology] and be able to construct point-to-point, hub-and-spoke, regional mesh topologies, that’s also [something that comes in hand] with an SD-WAN solution. Service chaining, which is, in fact, what we’re going to demonstrate today, is an ability to chain a service, such as firewall or IDS into the traffic.
And so all of those are interesting elements of what it means to operate an enterprise-grade solution. And by extending that enterprise-grade SD-WAN fabric directly into the AWS services, you are bringing all this functionality right into your public cloud environment. So you – by adopting an AWS or Microsoft Azure as your public cloud provider, you are not compromising on any of those enterprise-grade features. And at the end, it’s also the high performance, because the data center workloads are many times very demanding on the performance standpoint, and the high performance is something that is of a great importance.
So that’s the philosophy around an Infrastructure as a Service, and how you can make your…a could ready Wide Area Network by adopting AWS, in particular, and also Microsoft Azure Services.
The second approach is Software as a Service. As we discussed, these are the applications that are now consumed as a service through cloud service providers, and these are the [SaaS] services that are typically Office 365, Salesforce, Dropbox, and others. What Viptela SD-WAN solution offers is it offers the optimal access method to those cloud applications. And there’s lots of flexibility that comes in how that access could be provisioned.
The deployment flexibility could be through either direct internet access, where, for example, Office 365, in particular, in Microsoft, would strongly advocate towards the direct internet access where the traffic is…the user traffic is actually split off straight from the remote branches, straight from those SD-WAN appliances to the local internet breakouts, and access the Microsoft POPs based on the region where the users are. That’s, in fact, the preferred method for Office 365. Microsoft does not advocate any backhauling of the traffic, they would prefer that you would go straight into the internet to access their POPs.
At the same time, there’s other applications that may be a little bit more flexible as far as how the vendors behind those applications would prefer you to access to them, and those could be more tolerant, and then regional internet access or even centralized internet access through your traditional data centers. These are all deployment flexibility that you can get when you embark on an SD-WAN story and consumer Software as a Service…services.
Now, on top of all of that, is the network intelligence, to make sure that with that deployment flexibility, you are getting the intelligence for the network to automatically determine what is the best way for you to connect to those services if more than one is available. So, for example, for Office 365, direct internet access is maybe the preferred method, yet you may also have a regional internet access provision through the regional data center or regional [unintelligible 00:10:53] facility. And if the local internet breakout starts misbehaving, the network can take an intelligent decision to send your traffic to the regional internet access, and maintain the connectivity to the SaaS service. So network intelligence is a very imperative part of an ability to optimally connect to those clouds and cloud applications.
So let’s look at three different use cases. So we kind of touched upon a little bit on those before, but I want to take a few minutes to extend and expand a little bit on those.
So the first one if the hybrid cloud. So you are operating your on-premise data centers where you have your – for example, you are an SD-WAN customer so you have your SD-WAN appliances that are connected in your traditional data center that you see on the top right. And then you have your branch offices, you have your campuses, you have your remote offices, all of these. You may or may not be using VPNs for segmentation.
VPNs are very convenient and practical tools to make sure that you have different tiers of access or segregation between multiple organizational units. Some use segmentation for the purposes of segmenting, for example, PCI compliant data or HIPAA compliant data. These are the more secure [sensitive] transactions that [want to be] segmented off from the rest of the traffic, which is, for example, in HR data or finance data, or internet browsing, HVAC systems, whatever the case may be. So VPNs provide a very convenient means of segmentation.
So you’re doing this today between your branch offices and the data centers, now you want to start leveraging in AWS as an extension of your data center, effectively building a hybrid cloud. What you can do is, you can instantiate, the same as we discussed, you can instantiate the same infrastructure, DH cloud, in the AWS VPCs. Those can be instantiated in different AWS regions, based on the geographical footprint that you would like to achieve. And all of those are cohesively connected into the same transport independent SD-WAN fabric. So you would not distinguish between an on-premise data center or an AWS region 1, or 2, or 3, and for you this is all going to look like one cohesive compute infrastructure that is just conveniently connected through the transport independent SD-WAN fabric.
This allows you to shift the workloads between AWS regions, or between the data center into AWS region, so there’s lots of possibilities for you how you can start leveraging the hybrid approach in this case, right? You don’t have to shift the workloads, of course. You can have different workloads, you can keep some of the workloads in your traditional data center, and move some of the other workloads into the AWS. So there is lots of – as I mentioned, there’s lots of options for you to leverage in here.
The second option, or the second use case, is a regional cloud application access. So the way we usually think about – typically we think about AWS as basically a place where you put your workloads in. And that’s a very traditional sort of mindset as far as how AWS can be leveraged. But this case takes a little bit different approach, and it says that since I have my footprint now extended into the AWS, why can’t I start treating the AWS instances as my regional [exit] points into my cloud applications? So as you can see in here, we have the vEdge cloud appliances, and you can see that they can be deployed in high availability, so you can see that there’s…basically they’re pairs, and they can be deployed in multiple AWS regions. And as you can see, they are all part of the same cohesive fabric.
So what we can establish, is we can establish the regional internet exit points through those AWS instances. And, again, because they are regionally distributed, those would be also geographically dispersed, so you can send the traffic from the offices that are closer to a specific region through that region to maintain the optimal path.
So after establishing this regional cloud application access perimeter, so to speak, the vEdge cloud appliances in the AWS, [virtual] appliances, in the AWS, will start performing quality probing to actually understand what are the performance characteristics that an Office 365 exhibits, or what are the performance characteristics of the Salesforce, from that individual location where the vEdge cloud was provisioned.
Some of those vEdge appliances at the remote offices, or campus, in this case, can also be provisioned with direct internet access. So, effectively, direct internet access allows you to access those cloud applications without going through the regional internet exit points. And you may have multiples ISPs that are connected at that remote location. So, as you can see, from the standpoint of an individual user that is trying to access those applications, for example, think about that user residing in a campus, they now have multiple ways to access, for example, Office 365. They have direct internet access through either ISP A or ISP B, and they also have an option to go through an AWS region where the SD-WAN fabric had been extended.
So the question is, what is the optimal way for that user to access those cloud applications? And that’s exactly where that network intelligence that we mentioned before comes into play, and the quality probing mechanism that starts actually looking at the performance of Office 365 applications will make sure that the user traffic takes the optimal path to the Office 365 or any other SaaS application. And, as you can see in here, one of the remote offices may be preferring an AWS region A, and the branch office may be preferring an AWS region B, and a campus user may be preferring ISP B through direct internet access.
Should any changes occur in the performance characteristics of how Office 365 is accessed, the network is able to dynamically shift that traffic from either internet access, into the regional internet exit, if the local breakout becomes less preferred, or maybe keep the local breakout but shift from one ISP to another ISP, if I had ISP A and ISP B in place. So I can shift the traffic, still keep the local breakout, but shift it from ISP B to ISP A.
So there’s lots of interesting options that are available for effective and efficient cloud application access through either direct internet access, or regional internet access, and leveraging, again, the AWS infrastructure as a way for you to get to those cloud applications.
Now, case number three is somewhat similar to case number 2. It’s, again, considering the vEdge clouds that are deployed at the AWS. So we talked about that the possibility is to position the workloads. The second is to provision an internet access. The third one in here is, in fact, provisioning a security infrastructure in AWS VPC. That could be your firewall, IDS, IPS, data [width] protection, or whatever the security appliance that you – of your choice, that you want to provision in that AWS VPC.
So those appliances are front-ended by the vEdge clouds, and that allows the fabric to intelligently steer the traffic through service insertion into those AWS regions for security policy enforcement. So should some security event occur in any one of the remote offices, for example, a DDoS attack that started, a virus outbreak, a malware outbreak, anything that is a security incident that you would like to now prevent this incident from just spreading all over your network and attacking your organizational data centers, or cloud data centers that are also in AWS, you can leverage a service insertion through the AWS VPC, to make sure that this attack vector is no longer possible, and protect your compute resources.
So again, it’s an interesting way of looking at how you can leverage an AWS to actually host your security elements. And, again, the three methods that we talked about is providing workloads in AWS, providing internet access through AWS, and providing security policy enforcement through AWS.
So these are the three cases that we wanted to cover today, and I wanted to do a quick demonstration for you for use case number three. So let me stop sharing my presentation, and show you [our environment].
Courtney: Great. And as a quick reminder, there is a Q&A box there, and, of course, a chat box, whichever is easier for the participants and our attendees here to submit, and go ahead and join in the conversation.
David: Thank you, Courtney. So what you are seeing here is a tool which we call vManage, which is the central management point for your entire SD-WAN fabric. It gives you all the – it allows you to perform all the operational, configuration, troubleshooting [unintelligible 00:21:03] steps that you would want to do as a single [unintelligible] for the entire SD-WAN, Viptela SD-WAN fabric solution.
So what we see in here is we can see that there’s several vEdge devices that have been provisioned in our system. The two devices you see in here are called Regional Data Center 1 and Regional Data Center 2. Those are, in fact…Well, one of them is, in fact, provisioned inside the AWS VPC environment. So let me quickly go into the EC2 Management Console, just to show you what we have running in there. So what we have is, we have one vEdge cloud instance, which is the SD-WAN appliance, and connected to that, there’s a machine that runs intrusion detection system, which in fact, runs [unintelligible 00:21:53], which is an open-source IDS system.
So what I’ve done is I’ve used my AWS VPC to first extend my fabric into the AWS VPC by positioning the vEdge cloud in there, and in second place, an intrusion detection device inside that AWS VPC, so I can steer the traffic of interest to that inclusion detection appliance, to make sure that I have conformance with the policy, and, in fact, stop a denial-of-service attack that we’re going to initiate. So let me go back into the vManage.
Let me now show you in here, under the network, if I go to this Regional Data Center 2 device, and then I would go into the real time information, and I would query about the services that this vEdge cloud advertises, in fact, what I can see is it advertises a service called IDS into a specific VPN, which is a VPN 1. And, again, VPN is a very powerful concept in networking in general, and in SD-WAN in particular. We make – we here at Viptela make a very extensive use of a VPN philosophy. So, as you can see in here, not only am I advertising and intrusion detection system out of that vEdge cloud, which is positioned in AWS, I’m also advertising that into a specific VPN.
So think about that. Not only do you segment your environment, but you can now have different behaviors for each one of the segments. There could be a VPN 2, which is not present here, but you could have VPN 2, that would not have IDS in it, it may have firewall in it, or you may have VPN 3 that has IDS and firewall in it, where you can service chain through both. So you can see it’s a very, very powerful method, VPN is a very powerful method, and we’re leveraging that to the fullest extent. And in this case, we’re advertising IDS service into that VPN.
What we also have, is we have, under policy, we have a policy that we have attached in here, or activated. What that policy does is it allows the traffic of interest to be steered into that vEdge cloud and handed over to the IDS appliance for inspection.
So let’s go back.
What you see in here, this is a client’s desktop. So a client desktop, imagine this is something that is placed in – that is operating in your, let’s say, branch office. You have a data center that is also in your network, and in the data center you have a web server. So what we’re going to do is I’m just going to browse to that web server, and, as you can see, it’s really just a very simple webpage. In fact, it [unintelligible 00:24:51] server, just to demonstrate to you that I have an ability to reach the data center web server through just a regular http connection. So that is available.
Now what I can do, is in addition to the http, I can actually go and start a flood of high frequency ICMP packets that are going to the same IP address of 192.168.410, which is the same IP address of the server that is located in the data center. Now, let me go and show you the machine that runs the intrusion detection appliance. That is the machine that is positioned in the AWS, and is behind the vEdge cloud in the AWS VPC. As you can see, this counter is [incrementing] rapidly. These are the ICMP packets, the high flood ICMP packets that are being sent or being attempted to be sent from the branch machine, which may have been infected and is trying to and is trying to do a denial-of-service attack, into the compute resources in the data center.
And as you can see, this traffic is now being sent to the intrusion detection device in AWS, and is not – in fact, is not allowed to continue to the data center, so your data center resources are fully protected. As you can see, it doesn’t work yet, if I can go into the web server and I can still open it. So as you can see, I am preventing a denial-of-service attack against my infrastructure, yet I am not preventing many of the functionality. And that’s really the power of the servicing solution and service chaining, and, in this case, we’re also leveraging that service chaining through the AWS VPC to make sure that the traffic is – or my data center resources are protected.
That’s the extent of what we wanted to share with you today. I hope that this was informative. And, of course, the recording is going to be available later, when Courtney…
Courtney: We’ll be [sending it out to] everybody that participated today, of course, and anyone else that has registered and wasn’t able to attend today. Again, it’ll also be available on our website for downloading, and the transcription as well as the slides will be there as well. Thank you so much for joining, and if anyone has many questions or follow-ups, please reach out to us, and we’ll be sure to get back to you. Thanks again, [unintelligible 00:27:33].
David: Thank you so much.
Courtney: We kept this one nice and short for everybody to get back to their days. All righty. Take care.
David: All right.