Shulou(Shulou.com)06/01 Report--

Problems and Challenges of Hybrid Cloud Networking

Enterprise cloud usage continues to grow. Over time, hybrid cloud architectures evolved. How does hybrid cloud architecture address the need for connectivity?

1.1 Multi-cloud networking

Common networking schemes include: user-built IPSec gateway, using encrypted tunnel connection. However, it will bring the following problems:

1)Complex configuration and high maintenance costs

For example, connect Alibaba Cloud Beijing's VPC resources to AWS Singapore's VPC. Usually we use ××× software solutions, but implementing different deployment workflows on different cloud service providers through cumbersome CLI can cause too much effort to be spent on infrastructure.

2)The network structure is bloated and loses flexibility.

The business requirement is to publish applications faster. Patchwork using multiple connection methods will make the network architecture bloated and increase complexity. Fast, agile will be difficult to achieve.

1.2 Enterprise and cloud networking

Common networking solutions include: cloud dedicated line. But it also raises the following questions:

1)Subject to service provider constraints, network changes are required.

For example, connect Alibaba Cloud Beijing, Tencent Cloud Shenzhen's VPC infrastructure to Beijing's data center. The cloud private line connection mode depends on the service provider and requires the deployment of access equipment on the user side, which takes several days or weeks to change the network. Due to the cooperation of dedicated line service providers, operators and cloud service providers, there are usually restrictions on resource coordination and route selection.

2)High networking costs limit enterprise connectivity.

Cloud dedicated lines cost hundreds of thousands of dollars a year. Start-ups do not have the resource advantages of large enterprises, and their higher expenditures obviously do not meet the needs.

1.3 Client Remote Access

Common networking schemes include: Open×××. But it also raises the following questions:

1)Multi-user multi-VPC environment, cumbersome certificate management.

Deploying Open××× servers in every VPC results in cumbersome certificate management. If you have more than 10 users and multiple VPCs, client certificate management and Open×× configuration maintenance can be a significant challenge.

2)Client needs to be installed.

For most technicians, there is no threshold for Open××, but access systems may need to be open for non-technical use, such as sales using IPSec to access CRM in an intranet. The need to install client-side solutions increases the difficulty of implementation.

Hybrid cloud networking implementation ideas

How can you reduce network changes, quickly and cost-effectively build networks, and simplify IPSec tunnel creation, deletion, and management? We have developed an automated implementation.

As can be seen from the figure, we refer to the SDN software architecture design and abstract the ×× gateway into logical layers to achieve centralized management.

2.1 Components of Networking Automation Solutions

1)IPSec container

Run on VPC or user side network host;

Processing IPSec tunnel (IPSec encryption) traffic;

Connect to controller via WebSocket.

2)controller

Create, delete and manage specified tunnels through Restful API;

Complete routing configuration of VPC through cloud service provider network API;

Communicate with Web Client via Restful API.

3) Web Client

Tunnel management;

User management;

Data visualization.

The connection relationship of each component is as follows:

2.2 Process and Implementation of Peering Connection

1)The user clicks on the network to be interconnected in the management interface, and the Web Client sends a connection creation request to the controller. The controller delivers IPSec configuration to the specified IPSec container, and adds a route entry to the peer network in the VPC routing table. After the configuration is completed, the tunnel is pulled up, and the networks at both ends complete the interconnection.

2)If there is a CIDR conflict between two VPCs, you can modify the CIDR of the specified connection through the management interface. The Web Client sends a CIDR modification request to the controller, and the controller delivers the new IPSec configuration to the IPSec container, and updates the VPC routing entry at the same time. When it's done, pull the tunnel back up.

3)Through the interface, you can centrally manage all IPSec containers and tunnels. If the network environment changes, for example, the public IP of the Cloud Virtual Machine changes, the monitoring service will notify the container to automatically update the IPSec configuration, update the VPC routing entry, and re-pull the tunnel.

This is how the system works. From this we can see that the system has solved the problems encountered by traditional connection methods very well:

1)The controller completes IPSec connection configuration through IPSec container API interface and VPC routing configuration through cloud service provider network API interface, thus realizing automation. The advantage of this design is that it eliminates complexity, requires no network engineers, and can be run by anyone.

2)For the interworking requirements between the user side network and the cloud network, the IPSec container running on the user side host initiates an IPSec connection to the IPSec container running on the cloud network. This design is designed to avoid modification of the enterprise network and reduce dependence on hardware devices. Because there is no need to open ports on the enterprise user side, it can adapt to mainstream Internet access methods such as direct routing, NAT, and Proxy.

3)Containerized deployment is adopted to soften the enterprise boundary, eliminating the need to deploy CPE equipment on the user side network and configuring public cloud boundary routers. Due to the centralized management and distributed operation design, it can meet the requirements of anywhere operation and sustainable upgrading.

2.3 The Process and Implementation of Remote Access of Client

1)Administrators can add users manually, or import users by inviting them to register, and distribute the registration address and registration code to team members. User registration email, password, mobile phone number, registration code to complete account registration. If you have an LDAP environment, you can also use the LDAP automatic synchronization function of the system to interface with the LDAP server and automatically update account information periodically.

2)After the account takes effect, users do not need to install the client, directly use macOS, Windows, iOS, Android, Linux native IPSec client to access. IPSec type is L2TP/IPSec using pre-shared keys.

3)If you need to reset your password, you can go to the Self-Service IT page to reset your password yourself, just like resetting your email password.

The above is the flow of client access. From this we can see that the system has solved the problem encountered by Open×× very well:

1)Access mode using pre-shared key. This is designed to avoid maintaining client certificates, and at the same time, it can directly use the native IPSec client of the operating system, without requiring users to install additional IPSec clients. The advantage is to lower the threshold for use, reduce the difficulty of implementation, and adapt to more application scenarios and more user groups.

2)Provide a variety of user import methods. This is designed to be compatible with the IT environment of the enterprise. Administrators can add users manually or import team members by inviting them to register. You can also update your account automatically through the system's LDAP auto-sync feature.

3)Through the management interface, you can centrally manage all IPSec containers and users. Provide users with self-service IT service interfaces such as password reset and access configuration guide. Reduce IT service costs without administrator intervention.

The value of automation networking

IPSec networking automation solution solves several problems:

Fast Networking: Use IPSec connectivity infrastructure to establish arbitrary interconnections between multi-cloud, enterprise and cloud. Connect resources anywhere in minutes.

Less network changes: adapt to the original network, no need to deploy hardware, no need to change the original network.

Simple to use: eliminate complexity, replace CLI manual configuration with full click operation, no network engineer required, anyone can set up a network.

Simple implementation: access using native operating system clients, no need to manage certificates.

Improve efficiency: integrate cloud service provider APIs to automate networking. Let users focus on core business, not infrastructure.

Reduce costs: Get similar features to dedicated lines through cheap Internet, saving 90% of network expenses.

Accesshub is a simplified hybrid cloud networking for enterprises. The product address is www.accesshub.cn.

Register to use.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.