Overlay Networks: Connecting and Protecting Across Regions with Docker Patrick Kerpan, CEO
Agenda Background: Cohesive and the cloud Cloud Networking: Limitations Overlay networks: To the rescue Enter Docker: Opportunity in NFV Future thinking: Overlay/NFV everywhere 2
Background: Cohesive and the cloud 3
About Me Patrick Kerpan CEO, Cohesive Networks @pjktech BANKS 4
Company Cohesive Networks 2,000+ customers use VNS3 to protect cloudbased applications in any cloud environment User-controlled security and connectivity at the top of the public and private cloud Cloud is growing businesses and creating demand for more connectivity Your Cloud Applications Connected and Secure 5
Company 2000+ customers 1 billion hours 2000+ customers in 20+ countries 200+ Self Service Customers 15+ SI Resellers 30+ ISV OEM Including Industry Leaders Global Mutual Fund Company Global ERP provider Global BPMS provider Global Cloud-based Threat Detection Global Fashion Brand Global Big Data Analytics Provider 6
Cloud Networking: Limitations 7
What can you control? Limitations Layer 7 App 1 App 1 Layer 6 Layer 5 Cloud Customer Layer 4 Layer 3 Limit of user access, control and visibility Layer 3 Cloud Service Provider Application Policies You MUST Control Cloud Layer 3 Network (minimal tenant features) Layer 2 Layer1 Hypervisor You Don t Control Hardware You Can t Get To Layer 0 8
Limitations Most companies are NOT Google Google Inc., taking a new approach to enterprise security, is moving its corporate applications to the Internet. In doing so, the Internet giant is fipping common corporate security practice on its head, shifting away from the idea of a trusted internal corporate network secured by perimeter devices such as frewalls, in favor of a model where corporate data can be accessed from anywhere with the right device and user credentials. The new model called the BeyondCorp initiative assumes that the internal network is as dangerous as the Internet. (Wall Street Journal Google Moves Its Corporate Applications to the Internet May 11, 2015 ) 9
Overlay networks: To the rescue 10
Cloud overlay networking Overlay Networks US East 1 Europe US East VNS3 Overlay Network Subnet: 172.31.0.0/22 Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21 Peered Peered VNS3 1 VNS3 3 Public IP: 184.73.174.250 Overlay IP: 172.31.1.250 Public IP: 192.158.29.143 Overlay IP: 172.31.1.242 VNS3 2 Public IP: 54.246.224.156 Overlay IP: 172.31.1.246 Active IPsec Tunnel 192.168.3.0/24-172.31.1.0/24 Active IPsec Tunnel 192.168.4.0/24-172.31.1.0/24 Failover IPsec Tunnel Firewall / IPsec Cisco 5585 Firewall / IPsec Cisco 5505 Data Center Server User Workstation User Workstation LAN IP: 192.168.3.50 LAN IP: 192.168.3.100 LAN IP: 192.168.4.50 Data Center Server LAN IP: 192.168.4.100 Customer Remote Offce Customer Data Center Chicago, IL USA Remote Subnet: 192.168.3.0/24 London, UK Remote Subnet: 192.168.4.0/24 11
Overlays extend networks Overlay Networks ERP and CRM Company provided secure SaaS solution for new and existing customers using AWS. us-west-2 us-east-1 Customer Overlay Customer Overlay Customer Overlay Customer 1 Customer 2 Customer 3 Seattle, WA New York, NY San Francisco, CA Customer Overlay ISV North America Partner/Customer Network Improved solution vs. AWS Virtual Private Gateway or physical data center with legacy hardware. Firewall / IPsec Customer N Data Center Server INFOR DC St. Paul, MN $3B Annual Revenue 25 million Cloud Users 12
Overlays extend networks Overlay Networks Telecom Retail and Services company productized mobile, fxed line and broadband provisioning software as a SaaS ofering in AWS. Telecommunications MVNO Carrier MVNO Infrastructure Overlay Logical 1 Logical 2 Logical 3 Logical N Europe Cloud WAN / Hybrid Cloud MVNO Brand Topology per Customer Secured all public and private VLAN trafc for each customer deployment allowing adherence to Data Protection Standards. Customer Customer $4.5B Mobile and Mobile Related Revenues 13
Enter Docker: Opportunity in NFV 14
Connected and secured with L4-L7 plug-in system Enter Docker Isolated Docker containers within VNS3 allows Partners and Customers to embed features and functions safely and securely into their Cloud Network. Cohesive controls the integrity of the core appliance and overlay network, while our customers and partners are free to innovate. Proxy Reverse Proxy Content Caching Load Balancer IDS Custom Container VNS3 Core Components Router Switch Protocol Redistributor Firewall VPN Concentrator Scriptable SDN 15
Enter Docker Resource utilization then and now HOST 1 HOST 1 AWS m1.small c1.medium or equivalent running L3 overlay Container 1 Container 2 Container Container VNS3 Docker Tunnel Adapter Tunnel Adapter Cloud VM Adapter Cloud VM Adapter AWS m3.medium or larger running L3 overlay plus customer controlled L4-7 functions 2013 2015 16
Enter Docker Connecting Docker containers via Overlay HOST 1 Container 1 Container 2 Container Container Send secure network trafc from Container at 198.51.100.3 in AWS East to Container at 198.51.100.18 in AWS EU via VNS3 encrypted routers. HOST 2 Container 1 Container 2 Container Container VNS3 Docker VNS3 Docker Tunnel Adapter Tunnel Adapter Cloud VM Adapter Cloud VM Adapter AWS East AWS EU 17
Adding NFV to Overlay: Totally Cool! 18
Application segmentation via NFV Enter Docker Topology per Customer MVNO Carrier MVNO Infrastructure Overlay Logical 1 Logical 2 Logical 3 Logical N MVNO Brand Container-based WAF at application edge. Customer Customer 19
Application segmentation via NFV Enter Docker Topology per Customer MVNO Carrier MVNO Infrastructure Overlay Logical 1 Logical 2 Logical 3 Logical N MVNO Brand Container-based NIDs in application interior and edge. Customer Customer 20
Future thinking: Cloud networks for all 21
Future Thinking Overlays and NFV - everywhere IoT will not be the Internet of things - it will be the Internets of things. Organizations may run an entire IPv4 Internet overlay which trunks out on to the real Internet. The things will be very wary of the trunk. Its called the cloud because it is so far away. Today s construction allows yielding to the temptation that the hypervisor network will be able to do it all. Not a chance! Your overlay is my underlay! Intertwining overlays will be projected ever farther out to the edge as all IoT devices live in a fully virtualized world of (choose your metaphor) Cat in the Hat computing, or Turtles All the Way Down. 22
Conclusions With the advent of server virtualization, the OS became part of the application stack; hypervisor becomes new infra decision. Container mania sweeping the industry is another manifestation of customers wanting over the top infrastructure they control more completely than their public or private cloud vendor. With the ability to do network virtualization, A network, not THE network becomes part of the application stack - a network dedicated to the needs of the application. Network overlays and NFV within them are part of the over the top movement, allowing customers enhanced control and security. 23
Appendix: How does it work? 24
Enter Docker Resource utilization then and now HOST 1 HOST 1 AWS m1.small c1.medium or equivalent running L3 overlay Container 1 Container 2 Container Container VNS3 Docker Tunnel Adapter Tunnel Adapter Cloud VM Adapter Cloud VM Adapter AWS m3.medium or larger running L3 overlay plus customer controlled L4-7 functions 2013 2015 25
More than just Layer 3 overlay Enter Docker HOST 1 HOST 2 Container 1 Container 2 Container 1 Container 2 Container Container Container Container VNS3 Docker VNS3 Docker Tunnel Adapter Tunnel Adapter Cloud VM Adapter Cloud VM Adapter Cloud 1 Cloud 2 26
Connecting Docker containers with a single VM Enter Docker HOST 1 Container 1 Container 2 Container Container Send secure network trafc from Container at 198.51.100.3 in AWS East to Container at 198.51.100.18 in AWS EU via VNS3 encrypted routers. HOST 2 Container 1 Container 2 Container Container VNS3 Docker VNS3 Docker Tunnel Adapter Tunnel Adapter Cloud VM Adapter Cloud VM Adapter AWS East AWS EU 27
Enter Docker Launch and confgure container networks S e tu p C o n ta in e r N e tw o r k o n in s ta n c e # 1 a s 1 9 8.5 1.1 0 0.0 /2 8 S e tu p c o n ta in e r n e tw o r k o n in s ta n c e # 2 a s 1 9 8.5 1.1 0 0.1 6 /2 8 28
Enter Docker Advertise container routes to controller network VN S3 M a n a g e r # 1 e x p o s e s a r o u te to c o n ta in e r n e tw o r k # 1 (1 9 8.5 1.1 0 0.0 /2 8 ) and VN S3 M a n a g e r e x p o s e s a r o u te to c o n ta in e r n e tw o r k # 2 (1 9 8.5 1.1 0 0.1 6 /2 8 ) 29
Enter Docker Confgure ports and forwarding 30
Enter Docker Deploy Dockerfles/LXC images, allocate containers 31
Enter Docker Containers are free to communicate 32