Many cloud service providers (CSP) provide SD-WAN services and virtual private cloud services at the same time. However, for enterprise IT applications that have gradually integrated with the public cloud architecture, how to plan and design the data flow of enterprise private network and public cloud load (especially virtual private cloud) is a detailed topic. It is easier to establish a transport layer security (TLS) access through enterprise private network, and also easier to share enterprise resources and sensitive information. However, with the introduction of SD-WAN, some data streams are transmitted in an open Internet environment, and traditional border security is also challenged to some extent.
The main idea of VPC (Virtual Private Cloud), which is led by Amazon public cloud operators, is to build the original physical network as the underlying network access, and build a virtual network on it to carry the business data of users. So as to solve the problem of isolation between users and the interaction of user services on the underlying bearer network. The VPC of some public cloud manufacturers is to strengthen the management and arrangement of internal traffic between cloud private networks and applications. Virtual private cloud builds an isolated, user independently configured and managed virtual network environment for elastic cloud servers, improves the security of users' resources on the cloud, and simplifies users' three-tier network deployment from physical architecture to cloud architecture. Virtual machines are migrated between physical servers. In order to avoid internal application address modification and routing confusion after virtual machine migration, the migration is usually carried out only in the layer-2 domain. Therefore, the cloud computing platform needs to have a network environment with higher performance and larger layer-2 domain to provide guarantee for migration.
The common problems of virtual private cloud sites in sd-wan deployment are as follows:
1. How to deploy SD-WAN's site gateway. CPE in traditional network has dedicated routing hardware to handle traffic forwarding on WAN side and LAN side. What is the CPE location adopted when SD-WAN network is connected with public cloud?
2. The mixing of Internet traffic of virtual private cloud and Intranet traffic of enterprises greatly improves the utilization rate of network exports, which poses a great challenge to the network carrying performance of data center and requires higher network reliability;
3. Multiple network applications are deployed on the same virtual server and run as a gateway, which makes the network traffic superimposed and the traffic model more uncontrollable. The gateway needs to have the recognition ability based on application characteristics.
4. Safety protection issues. Because the gateway of virtual private cloud needs to solve the protection problem of public address and disassemble the tunnel encapsulation of private network, the deployment of security strategy becomes complex. The security problem realized by computing power requires a dynamic mechanism to protect the data center.
First of all, most mainstream SD-WAN technology manufacturers have provided network function Virtualization (NFV) solutions, such as Versa Networks, VMware, Silver Peak, etc., and can support the deployment of mainstream public clouds (Amazon AWS, Azure, Alicloud, etc.). Whether the deployment of nonmainstream cloud service providers can support can be verified in advance. GoSDWAN's POC-as-a-Service service package can help customers implement this validation. However, the specific deployment form needs the assistance of certain professional knowledge. For example, the AWS image deployment of versa networks needs to be pushed by an AMI (Amazon machine image) manufacturer in advance, rather than from the default Linux system version. Only after fully realizing the cost of the entire implementation process and the cost of resources can effective network deployment planning be carried out. Among them, different SD-WAN schemes have different requirements for computing resource instances (Instance) as gateways, which usually need to be borne by customers. In the virtual private cloud gateway location, some manufacturers' schemes are not suitable. In this case, do we abandon the integration of SD-WAN and virtual private cloud? No, GoSDWAN sd wan service provider recommends the Cloud Bridge (Cloud Bridge), that is, through the direct physical connection with the public cloud, the private network traffic in the virtual private cloud can be drained out through the dedicated channel and then redeployed in the location of the external conditional docking SD-WAN gateway.
Secondly, one of the advantages of SD-WAN is to integrate link resources and improve the utilization of communication links. The merging of data streams allows customers to adapt to lower bandwidth price ladder to some extent. Because SD-WAN conceptually realizes the separation of control plane and data plane, the flow statistics and monitoring of data plane are collected and presented by SDN Controller. There is no need to develop additional network management function. Therefore, it is quite easy to solve the problem of flow report. SD-WAN service provider is required to provide relevant network management platform account. In addition, since the gateway on the virtual private cloud side is responsible for the entrance and exit of traffic, the high availability of its running state is very important. In order to avoid the problem of single point of failure (SPOFf), two virtual machines should be set to run the Cloud Gateway Instance in Active-Active mode.
Thirdly, the gateway of SD-WAN on the virtual private cloud side actually not only provides the function of connection and forwarding, but also includes more new features such as the acceleration of Office 365, Zoom, Google and other applications, and the internal protection of the distinction between Qos traffic and non essential traffic. Therefore, the gateway deployed by SD-WAN on the virtual private cloud boundary needs to have the recognition capability based on application characteristics. Traffic identification is to conduct in-depth analysis on the data packets of business applications from the data link layer to the application layer, and judge the business type, business status, business content and user behavior according to the parameters such as target, source, protocol type, port number, characteristic string and traffic behavior characteristics, and classify, count and store them. With the development of network, at present, many applications, especially the application of P2P protocol, will use dynamic random port or camouflage port, so that the recognition accuracy of port recognition method will be low or even invalid. In view of the shortcomings of this recognition method, the current industry mainly uses deep packet inspection technology and deep flow detection technology, especially the deep packet inspection technology can greatly enhance the accuracy of traffic identification. SD-WAN manufacturers need to summarize and sort out the new application features to form a sufficient number of traffic feature libraries, in order to better locate the classification application types, so as to meet the needs of business development. At present, the mainstream SD-WAN manufacturers have more than thousands of application types, and the number is increasing with the continuous improvement of knowledge discovery and mining capabilities. For users, this quantity is not the focus of purchase. The core is to confirm whether the application types involved can be effectively identified and marked.
Last but not all, the gateway of the virtual private cloud needs to have sufficient attack resistance. This defense capability comes from the combination of sufficiently deep functional features and high-speed forwarding performance. With the evolution of digital transformation, the enterprise network traffic structure has also changed from simple in the early stage to complex new network traffic structure. Most applications and protocols in traditional data flow use fixed typical ports, such as port 53 of DNS and port 80 of HTTP. Some common services can be confirmed directly according to the source port number or destination port number of data flow. Therefore, the security policy is set around the management of ports.
However, in addition to providing forwarding functions, the gateway of the virtual private cloud is also testing whether it can provide embedded security functions, such as state firewall or NGFW, anti DDOs, etc. the provision of these functions should not increase additional investment. In the future, the instances in the gateway should even have ATP (Advanced threat protection), SIEM (security information and Event Management), log management and other functions. In addition, in the high-speed forwarding process of Gbps, the encryption/decryption process should not become a bottleneck problem of IOPS.
The above view is only a summary of GoSDWAN's findings in business practice. The length of the article can not fully enumerate all the issues to be considered in the deployment of cloud gateway. However, customers can communicate with the GoSDWAN team to communicate with their actual difficulties.
