In several recent discussions about hybrid cloud deployments, the issue of flexibility in network configuration has come up. How do you address distributed site access, stringent security requirements, or simply the lack of company standard configurations when connecting to cloud provider networks?
Two of the largest cloud providers, Amazon Web Services (AWS) and Microsoft Azure, offer forms of secure connectivity to client premises including internet-based VPN and private circuits (AWS Direct Connect and Microsoft Azure ExpressRoute), and it’s often enough just to connect these to an existing MPLS network or primary datacenter. However, these options aren’t always sufficient. This is especially true when it comes to WAN architectures like fully meshed internet-based VPN, MPLS/VPN hybrid WANs (SD WAN), or when dealing with multiple cloud platforms. Here is where software-defined networking can make a major impact.
For example, a frequent obstacle I have encountered in hybrid cloud implementations is when a company uses an internet-based VPN WAN, such as DMVPN. The problem in this situation is that when trying to establish secure connections to AWS or Azure, without an MPLS network to provide fast, stable connections to multiple sites, a central site has to provide backhaul to the cloud provider for all company locations. Of course, this is a requirement under certain circumstances, but for many companies, it would be preferable to integrate the cloud virtual network resources into the VPN mesh.
Cisco’s Cloud Services Router
In situations like these, one compelling option we have recommended is Cisco’s Cloud Services Router (CSR) 1000v, a virtual router that runs on a variety of hypervisors and carries most of the features of an ASR 1000 series. For a couple of years now, this has been available on a variety of hypervisors, but more recently, Cisco has made the CSR 1000v available on AWS and Azure. With the CSR 1000v, a full Cisco IOS XE-based virtual router can connect to the DMVPN from Azure or AWS, allowing for the establishment of dynamic site-to-site VPN tunnels between the cloud provider and all connected company sites. This can provide many other benefits as well:
For third-party VPN connectivity (e.g. partners, clients, etc.), this alleviates the somewhat strict support requirements for Azure VPN gateways—notably, the lack of support for Cisco ASA devices with route-based gateways.
You can enable remote-access SSL VPN through the cloud environment for remote workers.
The organization’s standard network management toolkit can be extended to the cloud tenant which can be managed according to company policy.
To get started with the CSR 1000v, the virtual router can be deployed from either the AWS Marketplace or Azure Marketplace in a variety of different configurations. Looking at Azure as an example, we start with a template that creates a new resource group and walks through connecting to an existing virtual network or creating a new one. If we deploy to an existing virtual network, we will have to update the existing route tables.
Once the instance is up and running, you can begin setting up the device to suit your organization’s needs, adding items such as monitoring, logging, or routing protocol configuration. This can all be performed using the familiar Cisco IOS command line accessed over SSH. Other management options such as Cisco Prime and REST API are available depending on cloud image or hypervisor support.
There are a few limitations of the CSR 1000v on Azure compared to AWS. In Azure, deploying multiple instances for redundancy is not supported. The interfaces are limited to a single IP address, while multiple interface IPs are supported in AWS. Also, overlapping subnets in virtual networks are not supported, but this is possible in AWS Virtual Private Clouds (VPCs). Considering the Azure support is newer, I wouldn’t be surprised to see at least some of these things change in the near future, within the limits of each platform.
The Changing Network Landscape
Software-defined networking is poised to bring dramatic changes to the cloud, datacenter, and overall networking spaces, both in how network functions are designed and how quickly they are deployed. Cisco’s CSR 1000v is one example of this, and there are many more from other vendors such as Palo Alto Networks, F5, Check Point, etc. These virtual network functions will continue to advance as the landscape shifts more and more toward programmable, template-driven, platform-agnostic software—all with the result of increasing scalability and flexibility.
Is your business looking to move past limitations in hybrid cloud connectivity? Are you seeking greater agility in your network operations? Credera has helped many organizations assess and modernize their cloud and datacenter infrastructures to implement hybrid cloud. If you have questions or would like to discuss cloud and infrastructure services, contact us at firstname.lastname@example.org.