Challenges in Deploying Public Clouds

Similar documents
WHITE PAPER. Automating Network Provisioning for Private Cloud

Infoblox Grid TM. Automated Network Control for. Unifying DNS Management and Extending the Infoblox Grid TM to the F5 Global Traffic Manager

WHITE PAPER. Infoblox IPAM Integration with Microsoft AD Sites and Local Services

Infoblox vnios Software for CISCO AXP

Automated Network Control for

Reliable DNS and DHCP for Microsoft Active Directory

How To Create A Virtual Private Cloud On Amazon.Com

Simplifying Private Cloud Deployments through Network Automation

TECHNICAL WHITE PAPER. Infoblox and the Relationship between DNS and Active Directory

Grid and Multi-Grid Management

STARTER KIT. Infoblox DNS Firewall for FireEye

RemoteApp Publishing on AWS

Installing and Using the vnios Trial

Managing Your Microsoft Windows Server Fleet with AWS Directory Service. May 2015

Reliable DNS and DHCP for Microsoft Active Directory Protecting and Extending Active Directory Infrastructure with Infoblox Appliances

Integrated IP Address Management Solution WHITEPAPER. Private Cloud Without Network Automation. Can it be done?

Cloud Provision Widget 1.41

Virtualized Domain Name System and IP Addressing Environments. White Paper September 2010

Quick Start Guide. for Installing vnios Software on. VMware Platforms

Securing Your Business with DNS Servers That Protect Themselves

Securing External Name Servers

Deploying Virtual Cyberoam Appliance in the Amazon Cloud Version 10

Alfresco Enterprise on AWS: Reference Architecture

Every Silver Lining Has a Vault in the Cloud

RED HAT CLOUDFORMS ENTERPRISE- GRADE MANAGEMENT FOR AMAZON WEB SERVICES

Beyond Quality of Service (QoS) Preparing Your Network for a Faster Voice over IP (VoIP)/ IP Telephony (IPT) Rollout with Lower Operating Costs

PROJECT SUMMARY ROWAN UNIVERSITY REQUIREMENTS

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Application Security Best Practices. Matt Tavis Principal Solutions Architect

Automation Change Manager

WHITEPAPER. Designing a Secure DNS Architecture

BEST PRACTICES WHITE PAPER. Best Practices for Successful IP Address Management (IPAM)

Infoblox Grid Technology

SOLUTION WHITE PAPER. Managing AWS. Using BMC Cloud Management solutions to enhance agility with control

Infoblox Education Services Course Catalog

Networking Configurations for NetApp Cloud ONTAP TM for AWS

Active Directory Domain Services on the AWS Cloud: Quick Start Reference Deployment Mike Pfeiffer

Infoblox Education Services Course Catalog

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Implementing Software- Defined Security with CloudPassage Halo

Virtualization Success Depends on Network Automation

The Importance of a Resilient DNS and DHCP Infrastructure

Deploy Remote Desktop Gateway on the AWS Cloud

Deploy XenApp 7.5 and 7.6 and XenDesktop 7.5 and 7.6 with Amazon VPC

How to Grow and Transform your Security Program into the Cloud

VMware vcloud Networking and Security Overview

Designing and Implementing a Server Infrastructure

Freedom for Servers, Drives & Desktops

I D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!

Talari Virtual Appliance CT800. Getting Started Guide

Amazon EFS (Preview) User Guide

Leveraging Best Practices for SolarWinds IP Address Manager

Secret Server Qualys Integration Guide

How To Deploy Sangoma Sbc Vm At Amazon Cloud Service (Awes) On A Vpc (Virtual Private Cloud) On An Ec2 Instance (Virtual Cloud)

ECM AS A CLOUD PLATFORM:

Build Your Knowledge!

Web Application Firewall

DNS Security: New Threats, Immediate Responses, Long Term Outlook Infoblox Inc. All Rights Reserved.

WHITE PAPER. Creating a Best-of-Breed DDI Solution in a Microsoft Environment

KeyControl Installation on Amazon Web Services

Cisco and Visual Network Systems: Implement an End-to-End Application Performance Management Solution for Managed Services

DNS Appliance Architecture: Domain Name System Best Practices

Infoblox Core Network Services solution

MCSA Instructor-led Live Online Training Program. Course Outline MCSA Deploying and Managing Windows Server 2012

Pega as a Service. Kim Singletary, Dir. Product Marketing Cloud Matt Yanchyshyn, Sr. Mgr., AWS Solutions Architect

10974B: Deploying and Migrating Windows Servers

Horizontal Integration - Unlocking the Cloud Stack. A Technical White Paper by FusionLayer, Inc.

Centrify Server Suite Management Tools

VNLINFOTECH JOIN US & MAKE YOUR FUTURE BRIGHT. mcsa (70-413) Microsoft certified system administrator. (designing & implementing server infrasturcure)

Securing Your Business with DNS Servers That Protect Themselves

How To Set Up Wiremock In Anhtml.Com On A Testnet On A Linux Server On A Microsoft Powerbook 2.5 (Powerbook) On A Powerbook 1.5 On A Macbook 2 (Powerbooks)

Cloud: Bridges, Brokers and Gateways

Cisco Intelligent Automation for Cloud

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

Networking with Windows Server vb. Day(s): 5. Version: Overview

Security Gateway Virtual Appliance R75.40

Amazon Elastic Beanstalk

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

VXOA AMI on Amazon Web Services

Vblock Systems hybrid-cloud with Cisco Intercloud Fabric

Active Directory Services with Windows Server 10969B; 5 days, Instructor-led

How To Monitor Hybrid It From A Hybrid Environment

The Hillstone and Trend Micro Joint Solution

Devising a Server Protection Strategy with Trend Micro

Extending your Enterprise IT with Amazon Virtual Private Cloud. Oyvind Roti Principal Solutions Architect, AWS

Training Name Installing and Configuring Windows Server 2012

IaaS Configuration for Cloud Platforms

White Paper. Deployment Practices and Guidelines for NetScaler 10.5 on Amazon Web Services. citrix.com

Accenture Cloud Platform Unlocks Agility and Control

MICROSTRATEGY ON AWS

Increased Security, Greater Agility, Lower Costs for AWS DELPHIX FOR AMAZON WEB SERVICES WHITE PAPER

White Paper. Prepared by: Neil Shah Director, Product Management March, 2014 Version: 1. Copyright 2014, ezdi, LLC.

IBM EXAM QUESTIONS & ANSWERS

TechNote. Configuring SonicOS for Amazon VPC

Optimally Manage the Data Center Using Systems Management Tools from Cisco and Microsoft

Devising a Server Protection Strategy with Trend Micro

TRIPWIRE PURECLOUD. TRIPWIRE PureCloud USER GUIDE

White Paper. Getting the most out of your cloud deployment

Transcription:

WHITE PAPER Ensuring Enterprise-grade Network Services for AWS Infoblox DDI for AWS increases cloud agility, supports consistent network policies across hybrid deployments, and improves visibility of public and hybrid cloud workloads.

Summary According to Gartner, by 2017 more than 50 percent of enterprises will use a hybrid cloud which typically includes traditional networks, private cloud, and/or public cloud. Over the past few years, enterprises have rapidly been moving their workloads to public clouds such as Amazon Web Services (AWS) to reduce the time to deploy new applications, consolidate their IT infrastructures for better analytical insights into their business, or just reduce infrastructure costs with a pay-for-use model among other reasons. However, while public clouds provide agility benefits, enterprises still face major challenges in reducing the complexity of operationalizing network infrastructure for public cloud. Specifically, network services such as DNS and IP address management become complicated because the need to manage multiple non-integrated point tools often causes inconsistency across enterprise-wide policies. Infoblox has extended its enterprise-grade DNS and IP address management solution to Amazon Web Services EC2. Fully integrated with our industry-leading Infoblox Grid technology, the Infoblox solution for AWS increases cloud agility, supports consistent network policies across hybrid deployments, and improves visibility of public cloud workloads. Challenges in Deploying Public Clouds Too often, public cloud services are thought of as a one-off deployment, especially in today s world of shadow IT, where lines of business deploy services in a vacuum as a way to speed deployment. However, network architects for enterprises that deploy public clouds have to create a consistent, automated, and uniform corporate-wide network in which the public cloud is merely an extension of their enterprise network. Without a consolidated, consistent network infrastructure integrated with the public cloud, organizations will not receive all of the benefits including agility, visibility, and security. To deliver a consistent network infrastructure in AWS or other public cloud platforms, a number of challenges need to be addressed. Network and IP Address Management For most hybrid cloud deployments, network and cloud administrators use separate tools to manage on-premises and public cloud networks because they have no centralized network and IP address management. Therefore, they face challenges in planning and deploying uniform networks and IP addresses, which in turn leads to increases in configuration and troubleshooting time. Secondly, a lack of discovery and tracking for the cloud-based resources reduces network visibility to the infrastructure. Trying to discover, track, and document the network and IP address assignments of AWS instances is virtually impossible with manual processes. Add the complexity of decommissioning instances, and most IT organizations have out-of-date and incorrect tracking of cloud-based resources. 1 WHITE PAPER Ensuring Enterprise-grade Network Services for AWS

Visibility Enterprises need a high level of visibility into network, DNS, and IP address configurations for both their on-premises and AWS infrastructure. Too often, IT teams must try and cobble together disparate, non-integrated tools to monitor their network resources for planning purposes. For compliance and security requirements, enterprises must also be able to audit and report on the use of network resources both current resources as well as historical tracking for decommissioned instances. For example, an auditor might ask to find out what instances/applications were using an IP address in the past or when a security event occurred on that particular IP address. Without complete visibility, historical views, and automation, most organizations will not have sufficient documentation to answer this request. Enterprise-grade Network Services for AWS Infoblox has been the leader in enterprise-grade network services including DNS and IP address management. And now with Infoblox DDI for AWS, organizations can leverage the integrated platform for public or hybrid cloud deployments. Infoblox DDI for AWS helps solve the network challenges described in the following sections. Enterprise-grade DNS Infoblox extends enterprise DNS into the AWS cloud so organizations have a robust, consolidated platform across traditional networks and public/hybrid clouds. As part of the Infoblox platform, enterprises can deploy Infoblox appliances into the AWS cloud by leveraging the Amazon Machine Images (AMI) into their AWS virtual private clouds (VPCs). These virtualized appliances can join an existing Infoblox Grid residing on a business s premises, thus extending DNS functionality from across the enterprise into the AWS cloud. DATA CENTER PRIMARY DNS GRID MASTER (GM) Enterprise Premises AWS Public Cloud SECONDARY DNS GRID MASTER CANDIDATE SECONDARY DNS Figure 1: Extending the Infoblox Grid for AWS 2

Automated Provisioning of Network, IP Addresses, and DNS Infoblox has introduced an API proxy functionality for AWS that allows enterprises to control network and IP address allocations for VPCs. Enterprises can ensure that these resources are predictably allocated, allowing for consistent and effective planning, tracking, and management of networks, IP addresses, and DNS records throughout the enterprise. AWS API Client (e.g., Ansible, Puppet, Chef scripts, etc.) VPC ID Network IP VPC-DEV 10.10.0.0/16 10.10.10.101 AWS API Endpoint VPC VPC ID Network IP DNS Record VPC-DEV 10.10.0.0/16 10.10.10.101 dev1.internal.com Typical Workflow 1. API: Create EC2 instance in VPC-Dev for network 10.10.0.0/16 2. GM reserves next available IP in network 10.10.0.0/16 for VPC-Dev and inserts into API request 3. API: create EC2 Instance in VPC-Dev 4. EC2 instance spun up with 10.10.10.101 in VPC-Dev 5. API Response: Success 6. GM updates host records for EC2 instance 7. API Response: Success Figure 2: Automated provisioning of network, IP addresses, and DNS records When a new VPC/subnet/EC2 instance is created using AWS APIs, as shown in Figure 2, these APIs are directed to the API proxy software that is running on Infoblox appliances. These VPCs/subnets are stored in Infoblox database. So the next time a user makes an API call to spin up new EC2 instance, the API proxy software injects the next available IP address and signs the API call with the appropriate AWS credentials before forwarding it to the AWS endpoint. If the API call is successful in spinning up new EC2 instance, a DNS record will be automatically created so end-users can access the EC2 instance with the FQDN (fully qualified domain name) that was just created. Since the Infoblox DNS server is configured as an authoritative DNS server in AWS, the DNS records are created based on the internal zones configured in Infoblox DNS server. This also lets the enterprise enforce DNS naming as per corporate naming policy, since Infoblox serves the DNS record. The naming convention can easily be automated by supplying a prefix based on some fields and incrementally adding a number as the suffix for every new instance created. As the VPCs, subnets, and EC2 instances are deleted or spun down, Infoblox will automatically delete respective DNS records, IP addresses, and networks associated with those objects. Therefore, by using the Infoblox Grid, it is possible to always get the latest information on AWS networks, IP addresses, instances, etc. Additional value-added information like IP lease histories and usage of specific IP addresses in VPCs and subnets can also be acquired from the Grid. 3 WHITE PAPER Ensuring Enterprise-grade Network Services for AWS

Greater Network Visibility for the Enterprise Through the use of Infoblox vdiscovery, instances, networks, and VPCs are now visible in the Infoblox GUI just like the physical and other virtual resources. Network teams have single-pane-of-glass visibility to DNS configurations and IP address utilization in AWS, allowing them to verify security and compliance for their networks. A discovery solution for the AWS network (regions/vpc/ec2) is required on a periodic basis to update any external DNS/IPAM solution so its internal database is constantly updated to ensure consistency with the AWS configuration at all times. This solution is implemented in Infoblox by using AWS APIs with the supplied user credentials to learn about VPCs, subnets, instances, IP addresses, and associated metadata information. Figure 3: Infoblox GUI for cloud network resources Users also get additional (computed) information such as IP address lease histories, so they have historic correlations between IP addresses and AWS instances. They can also verify network access compliance rules of workloads such as what network(s) do any specific kind of workload live on? The hybrid Grid deployment model provides users a single unified view of their private cloud and AWS in one pane of glass. Infoblox has a reporting capability that can be used for analytics on AWS discovered data. Secure DNS Traditional general-purpose DNS server approaches often have major security risks, including extensive patches and multiple open ports. A networking best practice is to deploy hardened DNS servers to address all vulnerabilities of any standard operating system that DNS servers run on in addition to the vulnerabilities of the DNS protocol itself. The Infoblox appliance is a hardened Linux system that exposes services via standard ports such as https (443) and DNS (53), depending on the services enabled by the end-user. Remote command-line interface (CLI) access is optionally provided via ssh (22) to access a captive CLI interface. This CLI does not provide the end-user with access to a standard Linux shell. During operation, the root file system of this appliance is mounted read-only to guard against introduction of arbitrary code into the system. In addition, Infoblox has also implemented a security solution that guards against malware, botnets, and other malicious software, which can be added to the Infoblox DDI for AWS solution. Deployment Models There are essentially two models for deploying Infoblox DDI for AWS hybrid or full public deployment. Within these two models are a number of considerations that factor into how users design their implementations. The figures below explain these two most common deployment models. 4

AWS AWS REGION VPC 2 ON-PREMISES DATA CENTER GRID MASTER VPC 1 GRID MASTER SHARED SERVICE MANAGEMENT VPC Figure 4: Hybrid deployment of the Infoblox Grid Hybrid deployment means that there is a NIOS Grid on the corporate premises, and that deployment is extended into the AWS cloud. On the corporate premises, a NIOS appliance (either physical or virtual) functions as the Grid Master. In addition to this, there might be other NIOS appliances on the corporate premises linked as Grid members and providing different services such as DNS, IPAM, and reporting. Deploying an instance of vnios into AWS extends these functions locally into a given VPC. This Grid member, when deployed, automatically joins the existing Grid. A VPN connection to the AWS VPC is required to provide the needed connectivity between this member and the Grid Master on the premises. Existing instances, VPCs, and subnets will be discovered by either the Grid Master or the vnios instances by setting up the appliance to request discovery from an AWS endpoint. AWS REGION 1 VPC 2 REGION 2 VPC 2 PRIMARY DNS GM VPC 1 VPC 1 SECONDARY DNS Figure 5: Public cloud deployment 5 WHITE PAPER Ensuring Enterprise-grade Network Services for AWS

The second deployment model is a full public cloud deployment. As implied, the deployment of the NIOS Grid in its entirety will be in the AWS cloud. In this model the best practice is to use a shared-service VPC model with other VPC peers to the shared-service VPC. In this design the shared-service VPC where the Grid Master is located has VPN connections to provide the ability to manage them securely from the corporate environment. Additional appliances are deployed per region to provide service with the best performance in mind. VPCs, subnets, and instances are discovered using vdiscovery, and their data populated into the Grid Master GUI. Infoblox DDI Value over Traditional Solutions Enterprises use two solutions to try and solve the challenges for DNS and IPAM in the AWS cloud AWS Route 53 and Microsoft DNS/DHCP. These solutions solve some of the challenges, but neither can solve them completely. Route 53 Route 53 provides scalable and highly available DNS in the AWS Cloud. In addition to being able to route users to various AWS services, including EC2 instances, Route 53 also enables AWS customers to route users to non-aws infrastructure. Route 53 servers are distributed throughout the world. While this solution is comprehensive, it cannot address completely the challenges faced by the enterprise for IPAM and DNS, namely: DNS service only, not used for IPAM Good for externally facing DNS, but difficult to integrate with an enterprise s current internal DNS solution Still challenging to provide network teams with simple visibility into DNS and IPAM to ensure compliance on an ongoing basis needed for securing the networks AWS focus with no correlated views of hybrid networks Microsoft DNS and DHCP Microsoft DNS and DHCP services are widely used by enterprises for traditional networks and can be deployed as a virtual instance in AWS. Management of these services becomes more challenging as the number of devices added to the network grows at an accelerated rate. The tools available are cumbersome to use, forcing manual processes to take place and potentially introducing human error. Enterprises choosing to use Microsoft will find it very difficult to meet the challenges faced by deploying workloads into the public cloud. Microsoft DNS and DHCP services: Provide basic functions but lack easy integration across a diverse enterprise that has Microsoft DNS and BIND Rely heavily on the use of DHCP, which is not available in AWS Can introduce latency and out-of-synch issues in synchronizing databases across the enterprise and AWS Cannot provide single-pane-of-glass visibility across the enterprise and into the AWS cloud 6

Conclusion The automation of DNS, DHCP, and IPAM for AWS is essential for a complete enterprise public/hybrid cloud solution. Fully integrated with our industry-leading Grid technology, the Infoblox solution for AWS increases cloud agility, supports consistent network policies across hybrid deployments, and improves visibility of public cloud workloads. Infoblox DDI for AWS offers virtual appliances as AMI images, which can be deployed inside VPCs as Grid member appliances. These members are auto-provisioned, and managed centrally from a Grid Master that can be either deployed on an enterprise s premises or AWS. Thus, this solution offers a simple, unified hybrid cloud experience to the enterprise. By extending Infoblox DDI into the AWS cloud, enterprises can solve the challenges of providing an enterprise DNS across corporate and cloud infrastructure, giving network teams consistent and meaningful visibility into public cloud environments, and ensuring compliance with corporate network and IP address allocation and DNS policies. About Infoblox Infoblox (NYSE:BLOX) delivers critical network services that protect Domain Name System (DNS) infrastructure, automate cloud deployments, and increase the reliability of enterprise and service provider networks around the world. As the industry leader in DNS, DHCP, and IP address management, the category known as DDI, Infoblox (www.infoblox.com) reduces the risk and complexity of networking. 7 WHITE PAPER Ensuring Enterprise-grade Network Services for AWS

CORPORATE HEADQUARTERS: +1.408.986.4000 +1.866.463.6256 (toll-free, U.S. and Canada) info@infoblox.com www.infoblox.com EMEA HEADQUARTERS: +32.3.259.04.30 info-emea@infoblox.com APAC HEADQUARTERS: +852.3793.3428 sales-apac@infoblox.com 2015 Infoblox, Inc. All rights reserved. Infoblox-WP-0079-00 Ensuring Enterprise-grade Network Services for AWS Sept 2015

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information