Challenges in Deploying Public Clouds

Transcription

1 WHITE PAPER Ensuring Enterprise-grade Network Services for AWS Infoblox DDI for AWS increases cloud agility, supports consistent network policies across hybrid deployments, and improves visibility of public and hybrid cloud workloads.

2 Summary According to Gartner, by 2017 more than 50 percent of enterprises will use a hybrid cloud which typically includes traditional networks, private cloud, and/or public cloud. Over the past few years, enterprises have rapidly been moving their workloads to public clouds such as Amazon Web Services (AWS) to reduce the time to deploy new applications, consolidate their IT infrastructures for better analytical insights into their business, or just reduce infrastructure costs with a pay-for-use model among other reasons. However, while public clouds provide agility benefits, enterprises still face major challenges in reducing the complexity of operationalizing network infrastructure for public cloud. Specifically, network services such as DNS and IP address management become complicated because the need to manage multiple non-integrated point tools often causes inconsistency across enterprise-wide policies. Infoblox has extended its enterprise-grade DNS and IP address management solution to Amazon Web Services EC2. Fully integrated with our industry-leading Infoblox Grid technology, the Infoblox solution for AWS increases cloud agility, supports consistent network policies across hybrid deployments, and improves visibility of public cloud workloads. Challenges in Deploying Public Clouds Too often, public cloud services are thought of as a one-off deployment, especially in today s world of shadow IT, where lines of business deploy services in a vacuum as a way to speed deployment. However, network architects for enterprises that deploy public clouds have to create a consistent, automated, and uniform corporate-wide network in which the public cloud is merely an extension of their enterprise network. Without a consolidated, consistent network infrastructure integrated with the public cloud, organizations will not receive all of the benefits including agility, visibility, and security. To deliver a consistent network infrastructure in AWS or other public cloud platforms, a number of challenges need to be addressed. Network and IP Address Management For most hybrid cloud deployments, network and cloud administrators use separate tools to manage on-premises and public cloud networks because they have no centralized network and IP address management. Therefore, they face challenges in planning and deploying uniform networks and IP addresses, which in turn leads to increases in configuration and troubleshooting time. Secondly, a lack of discovery and tracking for the cloud-based resources reduces network visibility to the infrastructure. Trying to discover, track, and document the network and IP address assignments of AWS instances is virtually impossible with manual processes. Add the complexity of decommissioning instances, and most IT organizations have out-of-date and incorrect tracking of cloud-based resources. 1 WHITE PAPER Ensuring Enterprise-grade Network Services for AWS

3 Visibility Enterprises need a high level of visibility into network, DNS, and IP address configurations for both their on-premises and AWS infrastructure. Too often, IT teams must try and cobble together disparate, non-integrated tools to monitor their network resources for planning purposes. For compliance and security requirements, enterprises must also be able to audit and report on the use of network resources both current resources as well as historical tracking for decommissioned instances. For example, an auditor might ask to find out what instances/applications were using an IP address in the past or when a security event occurred on that particular IP address. Without complete visibility, historical views, and automation, most organizations will not have sufficient documentation to answer this request. Enterprise-grade Network Services for AWS Infoblox has been the leader in enterprise-grade network services including DNS and IP address management. And now with Infoblox DDI for AWS, organizations can leverage the integrated platform for public or hybrid cloud deployments. Infoblox DDI for AWS helps solve the network challenges described in the following sections. Enterprise-grade DNS Infoblox extends enterprise DNS into the AWS cloud so organizations have a robust, consolidated platform across traditional networks and public/hybrid clouds. As part of the Infoblox platform, enterprises can deploy Infoblox appliances into the AWS cloud by leveraging the Amazon Machine Images (AMI) into their AWS virtual private clouds (VPCs). These virtualized appliances can join an existing Infoblox Grid residing on a business s premises, thus extending DNS functionality from across the enterprise into the AWS cloud. DATA CENTER PRIMARY DNS GRID MASTER (GM) Enterprise Premises AWS Public Cloud SECONDARY DNS GRID MASTER CANDIDATE SECONDARY DNS Figure 1: Extending the Infoblox Grid for AWS 2

4 Automated Provisioning of Network, IP Addresses, and DNS Infoblox has introduced an API proxy functionality for AWS that allows enterprises to control network and IP address allocations for VPCs. Enterprises can ensure that these resources are predictably allocated, allowing for consistent and effective planning, tracking, and management of networks, IP addresses, and DNS records throughout the enterprise. AWS API Client (e.g., Ansible, Puppet, Chef scripts, etc.) VPC ID Network IP VPC-DEV / AWS API Endpoint VPC VPC ID Network IP DNS Record VPC-DEV / dev1.internal.com Typical Workflow 1. API: Create EC2 instance in VPC-Dev for network /16 2. GM reserves next available IP in network /16 for VPC-Dev and inserts into API request 3. API: create EC2 Instance in VPC-Dev 4. EC2 instance spun up with in VPC-Dev 5. API Response: Success 6. GM updates host records for EC2 instance 7. API Response: Success Figure 2: Automated provisioning of network, IP addresses, and DNS records When a new VPC/subnet/EC2 instance is created using AWS APIs, as shown in Figure 2, these APIs are directed to the API proxy software that is running on Infoblox appliances. These VPCs/subnets are stored in Infoblox database. So the next time a user makes an API call to spin up new EC2 instance, the API proxy software injects the next available IP address and signs the API call with the appropriate AWS credentials before forwarding it to the AWS endpoint. If the API call is successful in spinning up new EC2 instance, a DNS record will be automatically created so end-users can access the EC2 instance with the FQDN (fully qualified domain name) that was just created. Since the Infoblox DNS server is configured as an authoritative DNS server in AWS, the DNS records are created based on the internal zones configured in Infoblox DNS server. This also lets the enterprise enforce DNS naming as per corporate naming policy, since Infoblox serves the DNS record. The naming convention can easily be automated by supplying a prefix based on some fields and incrementally adding a number as the suffix for every new instance created. As the VPCs, subnets, and EC2 instances are deleted or spun down, Infoblox will automatically delete respective DNS records, IP addresses, and networks associated with those objects. Therefore, by using the Infoblox Grid, it is possible to always get the latest information on AWS networks, IP addresses, instances, etc. Additional value-added information like IP lease histories and usage of specific IP addresses in VPCs and subnets can also be acquired from the Grid. 3 WHITE PAPER Ensuring Enterprise-grade Network Services for AWS

5 Greater Network Visibility for the Enterprise Through the use of Infoblox vdiscovery, instances, networks, and VPCs are now visible in the Infoblox GUI just like the physical and other virtual resources. Network teams have single-pane-of-glass visibility to DNS configurations and IP address utilization in AWS, allowing them to verify security and compliance for their networks. A discovery solution for the AWS network (regions/vpc/ec2) is required on a periodic basis to update any external DNS/IPAM solution so its internal database is constantly updated to ensure consistency with the AWS configuration at all times. This solution is implemented in Infoblox by using AWS APIs with the supplied user credentials to learn about VPCs, subnets, instances, IP addresses, and associated metadata information. Figure 3: Infoblox GUI for cloud network resources Users also get additional (computed) information such as IP address lease histories, so they have historic correlations between IP addresses and AWS instances. They can also verify network access compliance rules of workloads such as what network(s) do any specific kind of workload live on? The hybrid Grid deployment model provides users a single unified view of their private cloud and AWS in one pane of glass. Infoblox has a reporting capability that can be used for analytics on AWS discovered data. Secure DNS Traditional general-purpose DNS server approaches often have major security risks, including extensive patches and multiple open ports. A networking best practice is to deploy hardened DNS servers to address all vulnerabilities of any standard operating system that DNS servers run on in addition to the vulnerabilities of the DNS protocol itself. The Infoblox appliance is a hardened Linux system that exposes services via standard ports such as https (443) and DNS (53), depending on the services enabled by the end-user. Remote command-line interface (CLI) access is optionally provided via ssh (22) to access a captive CLI interface. This CLI does not provide the end-user with access to a standard Linux shell. During operation, the root file system of this appliance is mounted read-only to guard against introduction of arbitrary code into the system. In addition, Infoblox has also implemented a security solution that guards against malware, botnets, and other malicious software, which can be added to the Infoblox DDI for AWS solution. Deployment Models There are essentially two models for deploying Infoblox DDI for AWS hybrid or full public deployment. Within these two models are a number of considerations that factor into how users design their implementations. The figures below explain these two most common deployment models. 4

6 AWS AWS REGION VPC 2 ON-PREMISES DATA CENTER GRID MASTER VPC 1 GRID MASTER SHARED SERVICE MANAGEMENT VPC Figure 4: Hybrid deployment of the Infoblox Grid Hybrid deployment means that there is a NIOS Grid on the corporate premises, and that deployment is extended into the AWS cloud. On the corporate premises, a NIOS appliance (either physical or virtual) functions as the Grid Master. In addition to this, there might be other NIOS appliances on the corporate premises linked as Grid members and providing different services such as DNS, IPAM, and reporting. Deploying an instance of vnios into AWS extends these functions locally into a given VPC. This Grid member, when deployed, automatically joins the existing Grid. A VPN connection to the AWS VPC is required to provide the needed connectivity between this member and the Grid Master on the premises. Existing instances, VPCs, and subnets will be discovered by either the Grid Master or the vnios instances by setting up the appliance to request discovery from an AWS endpoint. AWS REGION 1 VPC 2 REGION 2 VPC 2 PRIMARY DNS GM VPC 1 VPC 1 SECONDARY DNS Figure 5: Public cloud deployment 5 WHITE PAPER Ensuring Enterprise-grade Network Services for AWS

7 The second deployment model is a full public cloud deployment. As implied, the deployment of the NIOS Grid in its entirety will be in the AWS cloud. In this model the best practice is to use a shared-service VPC model with other VPC peers to the shared-service VPC. In this design the shared-service VPC where the Grid Master is located has VPN connections to provide the ability to manage them securely from the corporate environment. Additional appliances are deployed per region to provide service with the best performance in mind. VPCs, subnets, and instances are discovered using vdiscovery, and their data populated into the Grid Master GUI. Infoblox DDI Value over Traditional Solutions Enterprises use two solutions to try and solve the challenges for DNS and IPAM in the AWS cloud AWS Route 53 and Microsoft DNS/DHCP. These solutions solve some of the challenges, but neither can solve them completely. Route 53 Route 53 provides scalable and highly available DNS in the AWS Cloud. In addition to being able to route users to various AWS services, including EC2 instances, Route 53 also enables AWS customers to route users to non-aws infrastructure. Route 53 servers are distributed throughout the world. While this solution is comprehensive, it cannot address completely the challenges faced by the enterprise for IPAM and DNS, namely: DNS service only, not used for IPAM Good for externally facing DNS, but difficult to integrate with an enterprise s current internal DNS solution Still challenging to provide network teams with simple visibility into DNS and IPAM to ensure compliance on an ongoing basis needed for securing the networks AWS focus with no correlated views of hybrid networks Microsoft DNS and DHCP Microsoft DNS and DHCP services are widely used by enterprises for traditional networks and can be deployed as a virtual instance in AWS. Management of these services becomes more challenging as the number of devices added to the network grows at an accelerated rate. The tools available are cumbersome to use, forcing manual processes to take place and potentially introducing human error. Enterprises choosing to use Microsoft will find it very difficult to meet the challenges faced by deploying workloads into the public cloud. Microsoft DNS and DHCP services: Provide basic functions but lack easy integration across a diverse enterprise that has Microsoft DNS and BIND Rely heavily on the use of DHCP, which is not available in AWS Can introduce latency and out-of-synch issues in synchronizing databases across the enterprise and AWS Cannot provide single-pane-of-glass visibility across the enterprise and into the AWS cloud 6

8 Conclusion The automation of DNS, DHCP, and IPAM for AWS is essential for a complete enterprise public/hybrid cloud solution. Fully integrated with our industry-leading Grid technology, the Infoblox solution for AWS increases cloud agility, supports consistent network policies across hybrid deployments, and improves visibility of public cloud workloads. Infoblox DDI for AWS offers virtual appliances as AMI images, which can be deployed inside VPCs as Grid member appliances. These members are auto-provisioned, and managed centrally from a Grid Master that can be either deployed on an enterprise s premises or AWS. Thus, this solution offers a simple, unified hybrid cloud experience to the enterprise. By extending Infoblox DDI into the AWS cloud, enterprises can solve the challenges of providing an enterprise DNS across corporate and cloud infrastructure, giving network teams consistent and meaningful visibility into public cloud environments, and ensuring compliance with corporate network and IP address allocation and DNS policies. About Infoblox Infoblox (NYSE:BLOX) delivers critical network services that protect Domain Name System (DNS) infrastructure, automate cloud deployments, and increase the reliability of enterprise and service provider networks around the world. As the industry leader in DNS, DHCP, and IP address management, the category known as DDI, Infoblox ( reduces the risk and complexity of networking. 7 WHITE PAPER Ensuring Enterprise-grade Network Services for AWS

9 CORPORATE HEADQUARTERS: (toll-free, U.S. and Canada) EMEA HEADQUARTERS: APAC HEADQUARTERS: Infoblox, Inc. All rights reserved. Infoblox-WP Ensuring Enterprise-grade Network Services for AWS Sept 2015