43
Cisco CSR 1000V: Securely Extend Your Apps to the Cloud Nick Matthews Solutions Architect, AWS Fan Yang Technical Marketing Engineer, Cisco Daniel Zuckerberg Customer Solutions Architect, Cisco Carl Coles Principal Network Architect, Adobe

Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Embed Size (px)

Citation preview

Page 1: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Cisco CSR 1000V: Securely Extend Your Apps to the Cloud Nick Matthews Solutions Architect, AWSFan Yang Technical Marketing Engineer, CiscoDaniel Zuckerberg Customer Solutions Architect, CiscoCarl Coles Principal Network Architect, Adobe

Page 2: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Agenda AWS Networking Solutions Cloud Trend and Network Challenge CSR 1000V Overview and Cloud Use Cases CSR 1000V on Under Armour CSR 1000V on Adobe Q&A

Page 3: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Cloud Performance is Only as Good as Network PerformanceThe benefits of cloud computing are well-proven

But your networking performance determines to what degree you will derive those benefits

Scalability Security Global Footprint Cost-effectiveness

Page 4: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Core Networking Offerings

Amazon VPC AWS Direct Connect

Amazon Route 53Amazon Elastic Load Balancing

AWS offers a wide variety of networking services, with four at the center:

Page 5: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Layers of Networking on AWS

Region

AZ

VPC

Subnet

Routing Table

Network ACL

Security Group

Page 6: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Amazon VPC

Choose from multiple connectivity options including public internet, Network Address Translation, encrypted VPN, and more

Quickly and easily provision and configure using the AWS Management Console Leverage multiple layers of security to protect your applications and environment, including

access control lists, dedicated hardware, and more

Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated section of the AWS cloud where you can launch resources in a virtual network you define

Page 7: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

AWS Direct Connect

AWS Direct Connect gives you dedicated network connections between your on-premises data center and AWS

Can reduce bandwidth costs Delivers more consistent network performance with reduced latency Compatible with all AWS services Elastically scales to meet your specific needs

Direct ConnectLocation

IPVPN/ MPLS

Point to point

Customer Data Center

Customer Office

Customer Office

Customer Office

Page 8: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Elastic Load BalancingElastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances and Availability Zones

Enables fault tolerance, with less manual intervention in applications Ensures that only healthy Amazon EC2 instances receive traffic; traffic is re-routed to a

new Availability Zone if all Amazon EC2 instances are unhealthy Meets application traffic demands by automatically scaling its request handling capacity

Page 9: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Amazon Route 53Amazon Route 53 is designed to reliably and cost-effectively route end-users to internet applications

Connects user requests to infrastructure running in AWS, and can also be used to route users to infrastructure outside of AWS

Monitor application and end-point health, or re-route traffic to healthy end-points with DNS health checks

Meets application traffic demands by automatically scaling request handling capacity Manage traffic globally with Traffic Flows – route users to application end-points through a

single region, or around the globe

Page 10: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Augment Your Network with AWS Marketplace Offerings

ISVs in AWS Marketplace offer solutions for a wide variety of use cases:

Routing VPN Application Delivery Firewalling

Page 11: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Network Challenges in the Cloud

Page 12: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Enterprises are Moving Applications to CloudNumerous Challenges to Adopt

Enterprise adoption of cloud continues to grow Security is still top of the list of concerns 71% of enterprise cloud solutions have a hybrid approach where both private and public

clouds are used

Page 13: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Extending Enterprise Networks Into Any Cloud Using Proven IOS XE Platforms in All Locations

EnterpriseLocations

TheCloud

Others

ExistingEnterpriseNetwork

Page 14: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Cisco Cloud Services Router 1000V (CSR 1000V) for All Deployment Types

ISR 4400

ASR 1000

CSR 1000V CSR 1000V

Physical Virtual Cloud

Page 15: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

CSR 1000V Overview and Cloud Use Cases

Page 16: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

CSR 1000V

CSR 1000V

Server

Hypervisor

Vertical Switch

OS

App

OS

App

RP FP

Software 3000+ features. Same software as ASR 1000 and ISR 4000

Infrastructure Agnostic Amazon Web Services, as well as additional cloud platforms

Throughput Elasticity Licensable throughput from 10 Mbps to 10 Gbps Footprint options from 1 to 8 virtual CPUs

Licensing Models Term 1 Year, 3 Years, 5 Years or Hourly Usage* Smart License

Programmability NetConf/Yang, RESTConf and SSH/Telnet for automated provisioning,

management, and monitoring

Page 17: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

CSR 1000V Use Cases for the Cloud

Branch VPN Termination: IPSec, DMVPN, FlexVPN, EZVPN, etc. Up to 1,000 concurrent VPN tunnels

Remote VPN Access: SSLVPN via AnyConnect

Virtual Cloud / DC Interconnection:Globally distributed applications, Interregional connection

Firewall and Application Inspection:Stateful firewall between regions

Virtual Cloud

Cloud, US East

Corporate Office/Branch

* Routers do not actually produce fire (usually)

Virtual Cloud

Cloud, US West

Page 18: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Where to Find the CSR 1000V in AWS Marketplace In AWS Marketplace:

– https://aws.amazon.com/marketplace

– Search for “CSR1000V”– CSR 1000V product

search will return a list of available CSR 1000V offers, pricing, support, and deployment information

Page 19: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Transit VPC with CSR 1000V

Page 20: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

What is a Transit VPC?Network transit centers are a common network design for connecting multiple, geographically disperse networks

A Transit VPC allows AWS customers to create virtual network transit centers, without the traditional costs of establishing a physical presence in a co-location transit hub or deploying physical network gear

Corporate Data Center(s)

Other Provider Networks

Page 21: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Transit VPC Design

Dedicated VPC: Simplifies routing by not combining with other shared services

CSR1000V Virtual Network Appliances: Provide dynamic routing and VPN network tunnels

Redundancy: Dynamic routing combined with multi-AZ deployment creates a robust network infrastructure

VGW: VPC virtual gateways provide highly available connections to transit VPC virtual network appliances

AZ1 AZ2

BA C

Direct ConnectInternet

Private DC

Transit VPC

Spoke VPC

ASR

OtherProviderNetworks

Page 22: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Flexible Purchasing Options

BYOL(Bring Your Own License). Purchase 1-year, 3-year, or 5-year license subscriptions from Cisco

Pay by the hour using AWS (yearly billing is coming in future)

Pooled licensing using Cisco Smart Software Licensing (Suggested)

Multiple technology packages, and varying throughput options

Page 23: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Under ArmourExtending Enterprise WAN to AWS with CSR 1000V

Page 24: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

The New IT Model for Under Armour

Enable the Application/Marketing/Financial Team’s growth Curve the organic growth of ungoverned Shadow IT resources Provide an agnostic platform that facilitates SOP Augment Application owner’s security controls Have visibility to address issues proactively

24

A Service Broker for the Lines of Business

Page 25: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Key Guiding Principles for UA Cloud Strategy

Time to Market Accelerate time to bring an application

or feature set from concept to deployment

Scale up IT services to support 25% YoY growth

– 450 new stores in the next 2 years Provide elastic and on-demand

infrastructure and platform service capability

Reducing Risk Profile Protect Under Armour customer data

to maintain brand reputation Design next generation security

architecture encompassing automation and self-service

Institutionalize processes for strong governance across the enterprise

Improving Quality of Service Provide SLAs targeted at high

availability and improved incident resolution rates

Adopt a service-oriented architecture to simplify and streamline application integrations

Standardize application, platform and infrastructure to drive service reusability

Page 26: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

WAN Architecture Overview

Geographically dispersed Regional Hubs Sites are localized to their Regional Hub

– Brings the highest level of availability– Performance optimized path selection for scaling

bandwidth– Enforcement, Compliance, and Visibility

Page 27: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

WAN Design EvolutionTraditional to Intelligent WAN (IWAN)

Internet MPLS

Branch

Internet MPLS

Branch

Two WAN Routing DomainsMPLS: eBGPRoute RedistributionRoute Filtering Loop Prevention

Active/Standby WAN PathsPrimary with Backup

One WAN Routing DomainMPLS and Internet: DefaultMinimal Route Filtering

Active/Active WAN Paths

ASR 1000 ASR 1000

ISP A SP V ISP A SP V

ASR 1000 ASR 1000

Traditional Hybrid

Data Center

IWAN Hybrid

Data Center

DMVPN DMVPN DMVPN

ISR-G2ISR-G2

Page 28: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

UA IWAN High Level TopologyIWAN LATAM-POPIWAN US-POP IWAN ASIAPAC-POPIWAN EMEA-POP

Branch LAT-HBranch LAT-G10.1.20.0/24 10.1.21.0/24

MC+BRMC+BR

Branch US-BBranch US-A10.1.10.0/24 10.1.11.0/24

MC+BR

Branch AP-YBranch AP-X10.1.40.0/24 10.1.41.0/24

MC+BRMC+BRBRMC+BR

Branch EUR-JBranch EUR-I10.1.30.0/24 10.1.31.0/24

MC+BRMC+BR

10.3.0.0/1610.4.0.0/16T-MC

BRBR

10.1.0.0/1610.2.0.0/16DC/MC

BRBR

10.7.0.0/1610.8.0.0/16T-MC

BRBR

BRBR

10.5.0.0/1610.6.0.0/16T-MC

BRBR

BRBR

BRBR

BRBR

DMVPNMPLS-2

DMVPNINET-1

DMVPNMPLS-3

DMVPNINET-2

DMVPNMPLS-1

Page 29: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Transit WAN Design with the CSR 1000V on AWS Only DMVPN required with Active/Standby

Circuit Design CSR 1000V deployed as Active/Standby

– Standby only consuming minimal resources until failure

CSR 1000V enables dynamic route failover– FVRF allows for dual provider connectivity

Internal DMVPN Hub Route VGW External DMVPN Hub Route IGW

– IVRF allows for dynamic routing of App and User traffic NAT leveraged for Transit Routing

IWAN US-POP

DC/MC

BRBR

BRBR

CSR 1000V

ActiveCSR 1000V

StandbyP2P GRE Tunnel

10.10.A.0/24AWS VPC-A

App A-1

App A-2

10.10.B.0/24AWS VPC-B

App B-1

App B-2

10.10.C.0/24AWS VPC-C

App C-1

App C-2

pcx-cccctttt

pcx-bbbbtttt

pcx-aaaatttt

AWS VGW

DMVPN over AWS

Direct Connect

AWS IGW

DMVPN over INET

Page 30: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Adobe and CSR 1000V

Page 31: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Adobe Digital Marketing Cloud

Provides a comprehensive marketing solution Enables marketers to measure, personalize

and optimize digital experiences  Fastest growing business unit in Adobe

which presents unique growth challenges Agility and workload mobility created the

need for cloud opportunities

31

The ACME Company

Marketing

Digital Body Language

Personalized Digital Experience

Digital Channels

Digital Devices

UsersDigital ContentAdobe

Marketing Cloud

Digital Channels

Page 32: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Migration to AWS Cloud

32

Speed to market required more

agility and mobility

Transition of development VPCs

to AWS

Global connectivity considerations

Adoption continued to

increase on a per account basis

Page 33: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

AWS VPC Sprawl

33

VPC sprawl across more than 700 accounts

VPC scaling and peering limitations

Requirements for cloud connectivity

VPC security requirements VPC and cloud MPLS VPNs alignment

Page 34: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Existing MPLS VPN Datacenter Architecture

34

Users

Edge

Regional A

Users

Users Users

Region B

EdgeData Collection

Data Processing

Data Collection

Data Processing

Data Collection

Data CollectionEdge Edge

Closer to Customer Digital Experience

Over 30 Global Locations Edge Data Collection

Datacenters Cloud Eviornments

Core Data Processing Private Datacenters

Tenant segmentation using MPLS VPN High Speed Transport

Private Provider Connecting cloud enviornments

Page 35: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Adobe Multi-Cloud Transport using CSR 1000V

Global MPLS Network built with Cisco ASR routers

Integrates cloud enviornments

Four Functional Areas of the Routing Fabric Edge Transport P router Datacenter Edge P router ALG PE router CE router

Cisco CSR 1000V as P and PE routers connecting AWS locations

Adobe

Adobe

Adobe

PCP

PCP

PCP

Region B

Region C

Region A

RDCRegional Edge

Transport

Regional Edge Transport

Regional Edge Transport

Core

DPC

Edge Edge

Edge

Edge

Edge

Edge

Edge

EdgeTransport

EdgeTransport

EdgeTransport

Edge

DPC

RDC

RDC

Page 36: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

AWS VPCs and Cisco CSR 1000V

Traditional VPC peering does not scale

Hub and spoke topology as an overlay

Cisco CSR 1000V adoption Familiar platform MPLS and routing

support Zone-Based firewall BYOL License

Support

36

Edge TransportASR 1000

Cisco

Edge TransportASR 1000

Cisco

AWS Direct Connect

Regional Core Transport

Virtual Private Cloud

AZ2

AWS VPC

Peering

Availability Zone

Availability ZoneEdgeCSR

1000V

CSR 1000VPE

Cisco Cisco

EdgeCSR

1000V

CSR 1000VPE

Cisco Cisco

Customer Spoke VPC

Virtual Private Cloud

AZ1Availability Zone

CEBIRD

CENTOS

AZ2Availability Zone

CENTOS

CEBIRD

AZ1

Horizontal Scale

Horizontal Scale

Page 37: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

AWS VPCs and Cisco CSR 1000V Transit VPC Using MPLS VPN to

align with AWS VPC Centralized security

choke point Customer Edge

Routing BGP peering into

VRF Automated AWS

VPC routing updates Dynamic AZ failover Utilizing Terraform

for deployments

37

Edge TransportCisco

ASR 1000

AWS Direct Connect

Regional Core Transport

Virtual Private Cloud

AZ2

AWS VPC

Peering

Availability ZoneEdgeCSR

1000V

CSR 1000VPECiscoCisco

CSR 1000VPE

Cisco Cisco

Customer Spoke VPC

Virtual Private Cloud

AZ1Availability Zone

CEBIRD

CENTOS

AZ2Availability Zone

CENTOS

CEBIRD

AZ1

RR IBGP VPNv4 Peering

Availability Zone

RR IBGP VPNv4 Peering eBGP VRF Peering

EdgeCSR

1000V

Overlay GRE FabricAWS Connectivity

RR IBGP VPNv4 Peering RR IBGP VPNv4 Peering eBGP VRF Peering

Edge TransportASR 1000

Cisco

Page 38: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Benefits of Using AWS and Cisco CSR 1000V

38

Zone-based firewall and MPLS support to provide secure

segmentation in a multi-tenant environment

Increased cost efficiencies while reducing TCO by deploying

virtual infrastructures

Familiar platform that provides transit VPC and transport

connectivity between AWS and on-premises data centers

Page 39: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Thank you

Page 40: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Additional Resources

Page 41: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Additional Resources CSR 1000V Landing Page & Free Trial https://aws.amazon.com/mp/sellers/cisco/

CSR 1000V Deployment Guide for AWShttp://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/csraws/awsinstall.html

CSR 1000V Product Management Mailing [email protected]

Cisco CSR 1000V Team Fan Yang- [email protected] Tony Banuelos- [email protected]

Page 42: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Transit VPC ResourcesAWS Marketplace Link https://aws.amazon.com/marketplace/pp/B01IAFXXVO

Transit VPC Deployment Guidehttps://docs.aws.amazon.com/solutions/latest/cisco-based-transit-vpc/welcome.html

Transit VPC Overviewhttps://aws.amazon.com/answers/transit-vpc/

DEMOhttps://www.youtube.com/watch?v=7ZB_luipmBA

Page 43: Cisco CSR 1000v: Securely Extend your Apps to the Cloud

Q & A