Product Overview and Functional Specification Virtual Private Clouds Value Added Reseller (VAR) / Managed Service Provider (MSP) 1 P a g e
Cloud Introduction and Glossary of Cloud Terms Cloud computing Cloud computing provides the IT infrastructure and environment to develop/host/run services and applications on demand, with optional pay-as-you-go pricing, as a resilient service. It also provides resources to store data. The services can in turn be scaled up and down to meet a customer s variable operational needs, ensuring maximum cost efficiency. There are three primary cloud service delivery models: IaaS (Infrastructure-as-a-Service) Infrastructure as a service delivers computing infrastructure such as CPU, RAM, and storage as virtual and physical servers, along with networking capabilities to provide a hosted data centre on demand upon which businesses can run their applications. This is computing as a service, rather than businesses having to purchase and manage their own expensive infrastructure. As with most cloud services it can be scaled up and down and customers usually only pay for what they consume. Rise offer network solutions and a mix of physical and virtual servers. SaaS (Software-as-a-Service) Software as a service refers to software or applications that are accessed over the internet (typically from a public cloud, multi-tenancy (or shared) environment). Unlike desktop applications, SaaS apps require no installation as they connect via the internet. Microsoft Office 365 is a popular example, Rise offer business email and online backup. PaaS (Platform-as-a-Service) PaaS refers to the environment within which developers can build and launch new applications. Well known cloud platforms include Microsoft Azure and Amazon EC2 and Force.com. Typically organisations will use more than one cloud deployment type depending on their needs. The most common deployment types are: Private cloud Private clouds are intended to be restricted to a single customer or trusted community. These are popular among organisations looking to access the benefits of cloud computing but retain higher control and flexibility of configuration compared with a public cloud. Private clouds can be run inside a company data centre or hosted by a third party (eg Rise). This is an ideal solution where data sovereignty is a key issue. Rise offer a virtual private cloud. Hybrid cloud A hybrid cloud, as the name infers, is a cloud capability that joins either on-premise infrastructure to private or public clouds, or clouds to each other, to provide a customer with a bespoke environment to meet their specific operational needs. Rise offer the capability to connect the customer onpremise network to the hosted virtual private cloud with our Network Solutions. Public cloud Public clouds are intended to be used by multiple parties at once and are designed to provide maximum value for money through a standardised and hi-scale approach. Many public clouds operate internationally for scale or geographic resilience, but this gives rise to some concerns for some businesses over where their data is being stored at any given time. (eg Amazon, Microsoft) 2 P a g e
Datacentre on Demand (DCoD) Introduction This document gives an overview of the Rise Datacentre on Demand (DCoD) product portfolio, along with the standard functional specification of each product and service. DCoD is a highly flexible, scalable and on-demand Infrastructure-as-a-Service (IaaS) and Software-asa-Service (SaaS) product portfolio which consists of: Infrastructure-as-a-Service (IaaS) Network Solutions Virtual Private Cloud o Disaster Recovery Application Solution o Custom Application Solution Software-as-a-Service (SaaS) Online Backup Email (Exchange 2010 hosted mailboxes) Additional Solutions & Services Bulk Data Transfer Service Snapshot Backup Service Advanced Server Monitoring Online Storage Web Hosting & Domains DCoD enables partners to quickly, easily and cost effectively build, deliver and manage cloud solutions for their customers such as: Email solutions Web Hosting Solutions File storage and collaboration solutions Unified Communication solutions Customer relationship and management solutions Financial and payroll solutions Remote Office and Desktop Solutions Business Continuity Solutions Services & Management All Rise solutions are unmanaged unless purchased with one of our offered managed services. Rise engineers continually monitor and support the infrastructure 24/7/365 but will not provide support that relates to the configuration or setup of the solution. Such assistance if needed will be chargeable and delivery scheduled by Rise Professional Services. 3 P a g e
DCoD Infrastructure as a Service Network Solution: Overview Once a business has decided that it wishes to take advantage of the cloud and has identified the new or existing IT solutions that it wishes to implement, the first step in technical delivery is to either extend the existing on-premise network into the cloud or build a new standalone network. This is when you can utilise a Rise Network Solution. A Rise Network Solution is a flexible set of network components which allow secure connection and access control to IT running in the Rise datacentre. We have built our Network Solutions utilising the latest Cisco hardware, providing you with enterprise level network infrastructure in an affordable and flexible manner, and giving you peace of mind that any IT you run in the cloud with Rise is highly secure and you retain full control. Network Solutions are made up of the following components and optional services: Virtual LAN (VLAN) This is a private hosted network within the Rise datacentre reserved purely for your customers servers with sole access controlled by yourself. Multiple VLANs allow servers to be separated into security zones. A Remote Access VPN allows direct connection to the VLAN for remote and secure management access. Virtual Private Network (VPN) This is a secure and encrypted site-to-site VPN tunnel over the internet, allowing your customers network(s) access into the VLAN. The site-to-site VPN allows onpremise networks seamless access to extend your customers IT into the cloud. If multiple onpremise locations; a separate VPN can be set up for each one, to allow efficient and ubiquitous access. For remote workers, a Remote Access VPN can allow access from individual machines anywhere in the world. Virtual Dedicated Firewall The firewall allows access to hosted servers from the internet, and vice versa, whilst keeping them secure and permitting granular controls on who is allowed to connect to what. This powerful system allows up to eight public IP addresses to present services on by default, with larger dedicated blocks available on application*, to support your entire internet infrastructure in the cloud. If the network solution contains more than one VLAN, the firewall controls access between them. Managed Firewall Service An optional additive service to our Virtual Dedicated Firewalls, the service includes full setup, configuration and management so you don t have to worry about administering the firewall yourself. If you feel you do not have the skill set or time in house, or are very serious about security this gives you the option to pass this over to our team of expert Network Engineers. 4 P a g e
Network Solution: Functional Specification The Rise Network Solution includes the following functionality as standard, additional functionality can be delivered via professional services and bespoke configuration. Please contact your Rise Account Manager to discuss your requirements. Network Solutions Each Network Solution can only be assigned to one customer within the Rise control panel. Subsequent server solutions assigned to specific customers can only be deployed in Network Solutions assigned to the same customer. Each Network Solution contains one Inside VLAN as default, this cannot be removed. You can also add up to three additional DMZ VLANs in which you can place servers with differing security levels. Currently remote access users are only placed in the Inside VLAN. Traffic is controlled between these VLANs using a virtual dedicated firewall. Virtual LAN (VLAN) Each VLAN contains 512 internal IP addresses, in the case of the Inside VLAN approximately 240 IPs are available for use by servers and 254 IPs are for remote access users. In the case of any DMZ VLAN there are approximately 494 IPs available for use by servers. Please note that there is no firewalling between the Inside VLAN and these remote access users, and no firewalling between the Inside VLAN and your on-premise network (other than any ingress firewalling you may be doing on-premise). Each server is assigned 1 IP addresses within the VLAN in which it is deployed, though more can be allocated from your control panel. IP addresses are allocated from RFC 1918 address space. In the event that the range you have been allocated overlaps with addresses you already use on-premise please contact Rise Support. By default, access to any DMZ VLAN must come from an IP address within the Inside VLAN (remote access client or a VPS). With appropriate firewall rules in place you can alter this behaviour to tailor it to your needs. Virtual Private Network (VPN) Up to 254 site-to-site VPN connections and remote access VPN connections can be provisioned per Network Solution. Each remote access VPN connection is dynamically assigned an IP address from within the Inside VLAN. Remote access VPNs can only terminate within the Inside VLAN. Similarly, the site-to-site VPNs are also only terminated in the Inside VLAN. This design consideration was chosen based on security; generally speaking DMZ VLANs will be held at a lower security level than the Inside VLAN. 5 P a g e
By doing this we ensure that access back to an on-premises network, over the VPN, has greater defence from the public Internet in that it must pass through your virtual firewall. Only one major IP block can be assigned as the on-premises network per site-to-site VPN connection. Access to multiple on-premise networks is possible via a single site-to-site VPN, but only if they can all be aggregated within the same IP block. For example, you may have two networks of 10.10.0.0/24 and 10.10.1.0/24, in this case you would request the on-premises network be 10.10.0.0/23, which encompasses both by using variable length subnet masking. Please note that this requires your own routing to be implemented on your network to enable this. Multiple site-to-site VPNs may be requested per solution. If you choose to use this function, the public endpoint addresses used must be unique for every site-to-site VPN provisioned. Using this ability you can route multiple non-contiguous blocks of IP addresses to your network, though this is more commonly used to link disparate networks, in different areas or buildings, to the same solution. Similarly, if two or more on-premises networks are connected via separate site-to-site VPNs to the same network solution, the address space used must not overlap. For example, you cannot create two separate site-to-site VPNs to networks where they both use 10.10.0.0/24. Virtual Dedicated Firewall The first time your virtual firewall is accessed, in order to protect it from unauthorised access, the connection must be from a Remote Access VPN. Once connected you may choose to relax the administrative access controls to allow connection from one of your servers, your own network via a site-to-site VPN, or even the internet, though we do not recommend this. Please note that to achieve reachability from your firewall to your on-premise network you would need to add a route to your firewall, to direct this traffic via our VPN routers (rather than taking the default Internet facing route). This would be similar to: route INSIDE $on-premise-network $on-premise-mask $inside-network.3 We currently allow a maximum of eight public IP addresses to be allocated per firewall in a network solution. If you need more than eight, you can choose to have your firewall migrated to its own dedicated public block. Unfortunately, this will require anything using your existing addresses to be renumbered. A charge is made for the work required for this migration, and also for the registration of the dedicated block to your company. Please note that if you choose to terminate your Rise network solution you will not be able to retain the dedicated block. Each public IP address can be translated, using the firewall to create a one to one mapping, to an individual IP address on any of your VLANs. Alternatively you may translate unique TCP or UDP ports on each public IP to any port on any IP address in any of your VLANs. 6 P a g e
The diagram below illustrates a typical VLAN/VPN/Firewall configuration, excluding the public Internet facing outside interface. It highlights the static routes required to each on-premise. Please note that the diagram shows routes on the firewall for on-premise via the VPN router this is a configuration option for you, in case you want to manage the firewall from on-premise. A side benefit of this is that it can act as a backup route in case of missing Inside VPS routes, but shouldn t be used for this purpose by default as it s a suboptimal traffic path (because traffic unnecessarily hairpins through the firewall). 192.168.0.0/24 IP addresses used are for illustrative purposes only 10.95.0.3 On-Premise LAN Inside VPS Routing to reach on-premise 192.168.0.0/24 via 10.95.0.3 10.95.0.0/23 INSIDE VLAN Firewall Routing to reach onpremise 192.168.0.0/24 via 10.95.0.3 10.95.0.1 Internet DHCP allocation from 10.95.1.0/24 10.95.2.1 DMZ VLAN 10.95.2.0/23 Managed Firewall Service After the purchase of the managed firewall service you will be required to complete an initial configuration template and provide a network and solution architecture diagram. Following the receipt of these the following is provided: Telephone based consultancy service to provide best practice advice and confirm initial configuration requirements. A telephone conference with a Rise network engineer covering the specified firewall configuration, the call will cover topics such as best practice for the proposed solution and design as well as security considerations. The call will conclude with agreement and approval of the required rules to be configured. Initial configuration A Rise network engineer will perform the configuration of the firewall, this will include setting up and verifying all the rules that were contained within the firewall configuration document agreed and approved during the telephone consultancy. Monitoring 7 P a g e
Rise engineers will continually monitor the hardware and firewall configurations 24/7/365. In the event of any failure our support team will immediately start working to resolve any issues. Administration and Updates Rise engineers will continually maintain and apply updates to the hardware and infrastructure. Change requests to the firewall configurations can be raised via support and will be implemented by a Rise network engineer. Three change requests are included in the 1st month after initial configuration. One change request per month is included within the management fee, additional change requests are chargeable. Configuration backup and 24/7/365 expert support Rise will keep backups of firewall configurations, in the event of an issue; firewall configuration can be rolled back to a previously saved stable configuration. Phone support is available 24/7/365. Professional Services and Bespoke Configurations The flexibility and scalability of our Network Solutions will suit the majority of use cases, but we understand that from time to time more complex and challenging solutions are required. In these cases additional functionality can be delivered via professional services and bespoke configuration. Please contact your Rise Account Manager to discuss your requirements. Some examples of non-standard product functionality that can be delivered as a professional service: Analysing your customer s existing network to determine the most effective way to integrate it with their new network solution. Site-to-site VPNs, or remote access VPN users, terminated in a VLAN other than the Inside VLAN. Advanced network designs with customised internal IP ranges and multiple VLANs Making DMZ VLANs reachable from on-premise networks Troubleshooting of complex network problems Allocation of dedicated public IP blocks to firewalls Provision of fully or part managed dedicated hardware (firewalls, load-balancers, VPN concentrators) 8 P a g e
Virtual Private Cloud: Overview Within a Network Solution multiple virtual servers can be deployed. The isolation and access control delivered by the Rise Network Solution creates a secure private cloud for the customer and can contain multiple business IT solutions. These solutions are known as Application Solutions and are generally segregated by the business purpose they deliver, they can be assigned a theme to distinguish this for management. Rise currently offers two Application Solutions: Custom Each solution contains 1 or more Windows virtual servers allowing you to install and configure a wide variety of business solutions for you customer. Software and appropriate licenses for Microsoft applications can be requested and attached to assist with the building of such solutions if needed. Each server is deployed with the Windows Operating System installed. Disaster Recovery This solution contains Windows virtual servers with specifications defined by the protection level required for your customers existing servers. Our software partner for this product is Vision Solutions (Double-Take), a market leading provider of Business Continuity software. Each server is deployed with the Windows Operating System installed and the correct Double-Take software and licenses to simplify building the disaster recovery solution. Rise offer two types of protection level within the Disaster Recovery solution: Advanced Backup allows multiple physical and/or virtual servers to be replicated to a repository giving peace of mind your data is safe off-premise; updates are continually replicated across to the repository ensuring the latest data is always held. In the event of any failure with the source server, data or the full server can be restored. For increased speed, a virtual server can be created within the solution and the backup can be restored to it, offering protection against software and hardware failures. Should a full site disaster occur, IT and business can continue from the cloud. For increased flexibility we can also provide licenses for an on-premise local repository allowing a local copy of all data. High Availability allows a one to one mapping of critical business physical or virtual servers to a counterpart in the cloud, updates are replicated across to ensure an up to date copy is always running. Any failure can be recovered from rapidly with a failover to the hot standby server. Users can be seamlessly redirected to the new server(s) for minimal business disruption. 9 P a g e
Virtual Private Cloud: Functional Specification Application Solutions: Custom A Custom Application Solution includes the following functionality as standard, additional functionality can be delivered via professional services and bespoke configuration. Please contact your Rise Account Manager to discuss your requirements. Control Panel Each Custom Application Solution can only be assigned to 1 customer within the Rise control panel. It must be deployed in an existing or new Network Solution that is assigned to the same customer. Servers Each virtual server has the following hardware specification 40GB System Disk (C:) Format = VHD on 15K SAS RAID 50 SAN storage Up to 960GB Data Disk (D: and above), can be partitioned by the user. Format = VHD on 15K SAS RAID 50 SAN storage Up to 16GB RAM Up to 4 vcpu Operating Systems available: Windows Server 2008 R2 Standard (x64) Windows Server 2008 R2 Web (x64) Each server can be deployed within any VLAN of the assigned Network Solution. Each server is assigned one IP address from the hosted network (VLAN) as default. Microsoft Application Licenses The Microsoft Application Licenses available through the Service Provider License Agreement Program (SPLA) can all be purchased and the appropriate software media applied to a server. License Mobility Partners or Customers can choose to use existing on-premise Microsoft licenses purchased through a volume licensing agreement as long as they have Software Assurance and comply with the regulations found here. http://www.microsoft.com/licensing/software-assurance/license-mobility.aspx#tab=1 ***************************************************************************** 10 P a g e
Application Solutions: Disaster Recovery A Disaster Recovery Solution includes the following functionality as standard, additional functionality can be delivered via professional services and bespoke configuration. Please contact your Rise Account Manager to discuss your requirements. Control Panel Each Disaster Recovery Application Solution can only be assigned to 1 customer within the Rise control panel. It must be deployed in an existing or new Network Solution that is assigned to the same customer. Advanced Backup Repositories All servers protected with Advanced Backup will be backed up to one or more repository servers which have the following hardware specification: Operating System: Windows Server 2008 R2 Standard 40GB System Disk (C:) Format = 15K SAS RAID 50 SAN storage Up to 15TB Data Disk (D: and above), can be partitioned by the user. Format = iscsi on 7k2 SATA RAID 5 SAN storage 2GB RAM (Can be modified up to 16GB) 1 vcpu (Can be modified up to 4 vcpu) Each Repository can be deployed within any VLAN of the assigned Network Solution. Each Repository is assigned one IP address from the hosted network (VLAN) as default. Vision Software (Double-Take) Each repository is deployed with Vision RecoverNow software; the license key for this software is accessible from within the Rise control panel after purchase. The Vision software must be node locked to activate it; this involves registering and associating it to the server through the Vision portal. Rise will provide a detailed user guide how to do this. Partners are encouraged to attend the Rise & Vision 2 day training course on this product, please contact your Rise Account manager to find the next available date and location to book your place. High Availability Servers All servers protected with High Availability will be replicated to a virtual server with the following hardware specification: Operating Systems o Windows Server 2008 R2 (x64 only) STD To protect all 2008 R2 machines o Windows Server 2008 (x64 & x32) STD To protect all 2008 machines o Windows Server 2003 R2 (x64 & x32) STD To protect all 2003 and 2003 R2 machines Up to 1TB System Disk (C:) Format = VHD on 15K SAS RAID 50 SAN storage Up to 1TB Data Disk (D: and above), can be partitioned by the user. Format = VHD on 15K SAS RAID 50 SAN storage Maximum of 1TB total between System and Storage disks 11 P a g e
up to 16GB RAM up to 4 vcpus Each HA server can be deployed within any VLAN of the assigned Network Solution. Each Repository is assigned one IP address from the hosted network (VLAN) as default. Vision Software (Double-Take) Each High Availability server is deployed with Vision Availability software; the license key for this software is accessible from within the Rise control panel after purchase. The Vision software must be node locked to activate it; this involves registering and associating it to the server through the Vision portal. Rise will provide a detailed user guide how to do this. Partners are encouraged to attend the Rise & Vision 2 day training course on this product, please contact your Rise Account manager to find the next available date and location to book your place. Professional Services and Bespoke Configurations The flexibility and scalability of our Application Solutions will suit the majority of use cases, but we understand that from time to time more complex and challenging solutions are required. In these cases additional functionality can be delivered via professional services and bespoke configuration. Please contact your Rise Account Manager to discuss your requirements. Some examples of non-standard product functionality that can be delivered as a professional service: Server Operating Systems outside of current spec, including Linux. Physical Server deployed as part of a Custom Application Solution Moving a deployed server from one VLAN to another within the same Network Solution Microsoft SPLA licensing for Charities, Academic Institutions and Government Specific partner enrolment for their own SPLA usage. 12 P a g e
Snapshot Backup Service: Overview All virtual servers deployed within a Rise Network Solution can be protected with the Rise snapshot backup service. This gives peace of mind that should a software or configuration error corrupt your server or application you have the ability to restore to a previous point in time before the corruption. Snapshot Service: Functional Specification A copy of the entire server is taken at a specific point in time. The snapshot is performed at a storage level on the SAN where the virtual machine is stored. The local copies are then replicated to a secondary storage array in our secondary datacentre. 2 hourly snapshots, retain 5 copies (on primary storage array) 15K SAS RAID 50 SAN storage 24 hourly snapshots, retain 2 copies (on primary storage array) 15K SAS RAID 50 SAN storage 2 hourly replication, retain 6 copies (replicated to secondary storage array) 7k2 SATA RAID 5 SAN storage 12 hourly replication, retain 11 copies (replicated to secondary storage array) 7k2 SATA RAID 5 SAN storage At any point in time, we keep the following copies on the production storage array: -2hrs, -4hrs, -6hrs, -8hrs, -10hrs, -24hrs and -48hrs. At any point in time, we keep the following copies on the secondary storage array: -2hrs, -4hrs, -6hrs, -8hrs, -10hrs, -12hrs, -24hrs, -36hrs, -48hrs, -60hrs, -72hrs, -84hrs, -96hrs, - 108hrs, -120hrs, -132hrs (5 days). A one off setup fee is charged for each server that utilises the service plus an on-going monthly fee. A one off professional service charge is incurred for the restoration of a stored snapshot. Advanced Server Monitoring: Overview All virtual servers deployed within a Rise Network Solution can be monitored with the Rise Advanced Server Monitoring solution. A small software agent needs to be installed on all servers that are to be monitored and a web based portal allows configuration of rules and alerts which are desired to be triggered. This gives peace of mind that should the server or application go down, you will be notified, can inform your customers and can work on resolving the fault. Advanced Server Monitoring: Functional Specification SNMP based agents must be installed on all servers to be monitored, with appropriate rules in place on the firewall for SNMP data to be transmitted. 13 P a g e
DCoD Software as a Service Online Backup: Overview Online Backup provides protection for all your important data and files. The simple, fast and reliable service is configured quickly to provide an off-site secure backup, ensuring your data can be recovered quickly, should the worst happen. This service is perfect for businesses that need to backup data from employees computers or business servers. The simple to use software client can be installed on an unlimited number of machines and allows an easy selection of files and folders along with configuring the regular backup schedule. Online Backup: Functional Specification Online Backup is provided utilising software from our partner NovaStor. The following storage quotas are available: 10GB 25GB 50GB 100GB 250GB 500GB 750GB 1000GB The white label software client can be installed on the following client and server machines: Windows 7 (32/64 Bit) All versions Windows Vista SP2 (32/64 Bit) All versions Windows XP SP3 (32/64 Bit) All versions Windows Server 2008 R2 (64 Bit) All versions Windows Server 2008 SP2 (32/64 Bit) All versions Windows Server 2003 SP3 (32/64 Bit) All versions Unlimited software clients can be installed and connected to the same storage area. The entire machine can be protected or individual files and folders selected. The backup can be scheduled to run at regular periods. All data is encrypted on the client and transmitted and stored in an encrypted format. Data can be restored to any client with the correct credentials. Multiple storage quotas can be added to the same software client and different backups can be assigned to these different storage quotas. Four types of backup mode can be selected: Full full backup of all files selected Incremental backs up files that have been modified since the last full or incremental backup. Differential backs up files that have been modified since the last full backup. 14 P a g e
Snapshot full backup of selected files selected but does not mark them as backup up. Exchange 2010 Mailboxes: Overview Professional mailboxes provide business class email and collaboration tools without the management overhead of running your own Exchange Server. This is perfect for small to medium sized businesses that need secure and reliable email. Mailboxes can be added and removed from the account as required and all benefit from a downloadable Outlook 2010 client to enable you to work with your mail, contacts and calendar, even when you re not connected to the Internet. Exchange 2010 Mailboxes: Functional Specification Professional Mailboxes are built on our new Exchange 2010 platform and provide the following: 5GB mailbox Latest Outlook software for PC and Mac (2010) Access email with Outlook 2010 Web App through a browser Share calendars, task lists and folders with colleagues Email and calendar synchronisation on your mobile with Exchange ActiveSync Virus scanning and Spam filtering Roaming SMTP - use our Outgoing Mail Server with any broadband provider Use your own domain name regardless of where its registered 15 P a g e