Today, most enterprises have moved beyond a “one cloud fits all” approach and are using more than one cloud to overcome multi-cloud security challenges, such as disaster recovery, data backup, application resiliency, and global coverage. In fact, according to the Flexera 2020 State of the Cloud Report, “93 percent of enterprises have a multi-cloud strategy” while “87 percent have a hybrid cloud strategy.” On average, enterprises use 2.2 public and 2.2 private clouds, and cloud adoption is continuing to accelerate.
However, managing and securing different private and public cloud workloads and environments isn’t as easy as you might hope. Despite its many benefits, multi-cloud adoption adds extra layers of management complexity, especially when cloud services are added in an ad hoc manner rather than being planned. This complexity creates management and operational challenges and increases operational costs. Even worse, few IT teams have the expertise to manage a mixed deployment of multiple public cloud, private cloud, and on-premises environments.
Many organizations connect their clouds using their on-premises data center WAN edge, which is secure but inhibits multi-cloud capabilities. This approach also can lead to increased deployment complexity, inconsistent network performance, and expensive connectivity.
A New Approach to Overcoming Multi-cloud Security Challenges
As enterprises continue to expand across multiple Infrastructure-as-a-Service (IaaS) cloud providers, their networking and security architectures must evolve to an approach that offers a consistent way to connect their applications. When deploying applications across multiple IaaS clouds, organizations need solutions that streamline operations and reduce their cybersecurity risks.
Software-defined wide-area networking (SD-WAN) can help facilitate the adoption of multi-cloud deployments while simplifying WAN infrastructure and reducing connectivity costs. But to be successful, SD-WAN needs to be kept secure. Secure SD-WAN, a unique approach that weaves security and networking function into a unified solution, provides three key elements for securing multi-cloud environments.
1. Common Framework
One of the challenges for multi-cloud deployments is that public cloud providers have different proprietary architectures built on frameworks, application programming interfaces (APIs), and toolsets that are specific to each one.
Enterprises need a common networking and security policy and enforcement framework, and the right multi-cloud solution will provide a networking and security architecture that spans across clouds. It uses the native features and functions of each cloud, abstracts that functionality with APIs, and then manages these connections dynamically using automation. Automating the deployment of a consistent overlay network that spans multiple cloud networks in this way reduces complexity and saves both time and resources – plus this helps build flexibility to grow and expand cloud deployments as an organization’s needs change. Secure SD-WAN enables organizations to apply consistent security across even the most complex and distributed multi-cloud environments, user to cloud, data center to cloud, and cloud to cloud.
2. Application Awareness
The underlying transport mechanisms in the networking technologies used to connect multiple clouds aren’t aware of the various different types of applications on the clouds. To deliver consistent performance for an organization’s critical applications, and to maximize the use of available resources, the network needs to be application-aware. A Secure SD-WAN solution provides awareness of network conditions and capacity, the ability to control unimportant traffic and optimize business-critical applications, and an understanding of the impact to the end-user experience to help improve performance and optimize costs.
3. Integrated Architecture
If networking and security are separated, multi-cloud deployments won’t be able to reach their full performance potential because each layer tends to use different technologies from different vendors that can’t see or talk to each other. This approach can cause gaps in coverage, which makes the entire environment vulnerable to attacks. An integrated networking and security architecture is needed for both effectiveness and efficiency. A unified Secure SD-WAN solution provides central oversight, coordinated enforcement, and integrated communications between the networking and security layers to close gaps and significantly reduce the potential for attacks.
These techniques include intelligent deep packet inspection and segmentation of the network traffic that flows between applications and workloads across the multiple clouds. It also enables security to be seamlessly integrated with the network layer using a variety of strategies, including leveraging cloud-native constructs such as security groups, advanced security such as firewall and intrusion prevention systems, and tying security to connectivity to ensure seamless protection and real-time inspection of encrypted traffic moving to, across, and between clouds.
Create a Seamless Security Architecture Through Multi-cloud Security
As more enterprises embrace multi-cloud, they need solutions that are designed to secure and connect their complex environments under a unified security fabric. Multi-cloud deployments often suffer from lack of visibility, disjointed management tools, and security issues. An effective SD-WAN solution can provide an application-aware network infrastructure that spans multiple cloud environments. A uniform policy-defined infrastructure reduces inconsistency while simplifying management and reducing costs. By enabling Secure SD-WAN across multiple clouds and regions, application developers and enterprise IT can build a high-speed and seamless cloud-to-cloud network and security architecture.
Learn how Fortinet’s adaptive cloud security solutions provide increased visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.
The blog was originally published on Fortinet’s website. It has been used here with permission from the provider.
In a previous blog on Getting Started with Modern Data Center Fabrics, we discussed the common modern DC architecture of an IP fabric to provide base connectivity, overlaid with EVPN-VXLAN to provide end-to-end networking. Before rolling out your new fabric, you will design your overlay. In this blog, we discuss the Collapsed Spine/Core architecture.
QuickStart – Get Hands-on
For those who prefer to “Try first, read later”, head to Juniper vLabs, a (free!) web-based lab environment that you can access any time to try Juniper products and features in a sandbox type environment. Among its many offerings is an IP Fabric with EVPN-VXLAN topology and while this sandbox does not support the collapsed spine architecture, it does include a data center setup pre-built with an edge-routed bridging architecture. Each fabric is built using vQFX virtual switching devices and the sandbox includes HealthBot, Juniper’s network health and diagnostic platform.
Simply register for an account, log in, check out the IP Fabric with EVPN-VXLAN topology details page and you are on your way. You’ll be in a protected environment, so feel free to explore and mess around with the setup. Worried you’ll break it? Don’t be. You can tear down your work and start a new session any time.
What is a Collapsed Spine/Core Architecture?
Unlike the full EVPN-VXLAN architectures we have discussed in recent blogs, including Bridged Overlay, Centrally-routed Bridging (CRB) and Edge-routed Bridging (ERB), the collapsed spine takes a hybrid approach.
In a data center context, a collapsed spine architecture has no leaf layer. The EVPN-VXLAN overlay functionality that normally runs on spine and leaf fabric is collapsed into only the spine devices. In a campus context, this model is called a collapsed core architecture, as it takes the normal three-tier hierarchical network and collapses the core and distribution layers into a single combined layer.
As shown below, with a collapsed spine/core architecture the spine devices run EVPN-VXLAN and perform inter-V(X)LAN routing. They can use EVPN multihoming to provide resiliency for the access layer. The access devices remain in their original role as Layer 2 top-of-rack (ToR) switches. These devices can be standalone or grouped in a Virtual Chassis and run LAG interfaces upstream to the spine devices as well as downstream to provide resiliency for the servers. For traffic leaving the data center, the spine switches typically act as a border gateway.
Why a Collapsed Spine/Core Architecture?
A leading reason to use the collapsed spine/core approach is when you want to modernize your network environment, but you want to take a phased or incremental approach. Rather than going all in on EVPN-VXLAN, you can start with just the spine layer. Once things are running smoothly, you can then convert the access devices to a leaf layer and complete the fabric.
Another case for using this approach is when you have older leaf devices that don’t support EVPN-VXLAN. The collapsed spine/core model allows you to gain the value of EVPN-VXLAN at the spine layer, while extending the life of existing legacy ToR devices.
Overall, the collapsed spine/core model is a good option for smaller DCs with mostly north-south traffic.
Implementing a Collapsed Spine/Core Overlay
In this architecture, only the spine devices require EVPN-VXLAN configuration. As described in a previous blog, Getting Started with Modern Data Center Fabrics, these elements include:
- BGP-based IP fabric as the underlay
- EVPN as the overlay control plane
- VXLAN as the overlay data plane
You will also want to set up EVPN multihoming on the interfaces towards the access devices.
Since a key aspect of this architecture is leaving the access layer as is, it may well require no additional configuration! The access devices should have the usual set of elements in place, including:
- LAG interfaces upstream toward the spine devices
- Interfaces (possibly LAGs) configured downstream to attached endpoints
- VLANs assigned as appropriate
With that, we’ve covered the basics for using a collapsed spine/core overlay architecture. There are plenty of other details to consider, but this will get you started. We’ll discuss other architectures in a future blog. In the meantime…
To learn more, we have a range of resources available.
Read it – Whitepapers and Tech Docs:
- Collapsed Spine with EVPN Multihoming
- Collapsed Core with EVPN Multihoming
- IP Fabric EVPN-VXLAN Reference Architecture
Learn it – Take a training class:
- Juniper Networks Design – Data Center (JND-DC)
- Data Center Fabric with EVPN and VXLAN (ADCX)
- All-access Training Pass
Try it – Get Hands-on with Juniper vLabs
This blog was originally published on Juniper’s website. It has been used here with permission from the provider.
- CNI & Fortinet Bring You Adaptive Cloud Security
- CNI Named NETSCOUT’s Americas Strategic Partner of the Year
- CNI Sales Partners with TierPoint to Bring Customers Popular Hybrid IT Transformation Managed Services & Solutions
- CNI Dives into Digital Signage Space with Samsung
- Cloud or Bust for Healthcare in Post-Pandemic Era