CCNA Routing and Switching exam has this topic in the blueprint, which I will try to cover in this blog post:
1.4 Describe the effects of cloud resources on enterprise network architecture
• 1.4.a Traffic path to internal and external cloud services
• 1.4.b Virtual services
• 1.4.c Basic virtual network infrastructure
What is a cloud service or resource?
There are many definitions of the term. Many of them refer to public clouds reachable over the Internet. For example, AWS, Microsoft Azure, or Google Cloud Platform. It is often opposed to on-premises private infrastructure. However, cloud service can be private if it has characteristics of public clouds, such as self-service and automation of infrastructure provisioning.
The hybrid cloud combines the benefits of private and public clouds. It provides more control when it is required and at the same time elasticity of public cloud can be utilized. Cisco and other vendors have orchestration platform products for managing and operating hybrid clouds.
There are 3 cloud service models:
- Infrastructure As A Service (IAAS). In this model cloud service provider manages hardware, networking, and storage. A customer gets access to virtual machines, firewalls, and load balancers. High availability and required scaling need to be implemented by the consumer. The examples of IAAS are Amazon Web Services and Microsoft Azure.
- Platform As A Service (PAAS). Compared to IAAS, this model provides access to the application development environment, while operating system level configuration, database management, and development tools are maintained by the provider. Examples are Azure Cloud Services and AWS Elastic Beanstalk.
- Software As A Service (SAAS). In this model, you pay for application access that is hosted in the cloud. The example of such service is SalesForce and Office 365.
How to establish connectivity?
Traffic path to cloud services is either based on IPSec VPN over the Internet or dedicated private link to the cloud provider data centers. IPSec connection is build using a VPN gateway construct at a public cloud. Tunnels can be configured either as policy-based or route-based. Route-based tunnels provide more flexibility, as networks on both sides of the connection don’t have to be statically configured. BGP can be used over these tunnels to dynamically exchange the reachability information.
Dedicated links provide a direct path into the cloud infrastructure and come with higher speeds and availability SLAs. Microsoft Azure’s product is called ExpressRoute, AWS’s – Direct Connect, and Google Cloud’s are Interconnect. Link speeds across all 3 clouds are either 1Gbps or 10Gbps. There are options of connecting directly to the data center location if a customer has a presence in one of such locations or using one of the published partners.
This connection can be used to get access to your cloud resources, such as VMs, as well as to public resources, such as Office 365, which usually refers to as peering. Public peering has additional requirements of having public BGP AS number and range of public IP addresses that will be advertised.
Basic virtual network infrastructure
Virtualization in networking has many forms. The word virtual is being prepended to many technologies and I will try to provide some overview for the exam preparation below.
Virtualization as a mean to segregate networks
VLAN (Virtual LAN) is used to separate a group of switch ports on Layer 2. Without this feature, a dedicated switch would be required for every Layer 2 domain.
VRF (Virtual Routing and Forwarding) provides separation on Layer 3. On a router, every Layer 3 interface can reach any other Layer 3 interfaces, as well as network reachable through them as there is a single routing table. This changes with VRF. Every VRF gets its own dedicated set of interfaces and corresponding routing tables. The interface on a single VRF cannot directly reach another VRF thus providing segregation.
Both VLANs and VRFs provide isolation of data and control plane, however, there is a still common management plane of the device. Virtual Device Context is the feature of Nexus 7000 and 7700 switches. A single device can be split into multiple contexts. Each of the contexts has its own configuration and can be managed independently. A similar feature was available in ASA firewalls.
Virtualization of networking devices by running them as virtual machines
With the advancement in compute virtualization platforms, many network devices now can be deployed as a virtual machine. The examples are Nexus 1000V switches, CSR routers, and Firepower Threat Defense security appliances. These devices can be launched on-premise and in the public cloud.
Virtualization as a mean of creating a network topology on top of the other network
Virtual Private Network is an example of a network created on top of the public network, such as the Internet. Tunneling is based on gateway-to-gateway communication, so the transport network is not aware of the existence of networks on the LAN side of the gateways. These gateways create so-called overlay networks and the transport is called underlay.
One of the most common use cases of MPLS is VPN. As a customer, you may not be aware, but multi-tenancy within the service provider is achieved by having an overlay for each tenant.
Data centers are built using technologies, such as VXLAN (Virtual Extensible LAN) which is another form of tunneling and virtualization.
Virtualization in having multiple devices to behave as a single one
Virtual Port Channel (VPC) is a data center technology that makes a pair of Nexus switches to appear as a single device for building port channels. See this article for an overview of how VPCs operate and configured.
Cisco ACI (Application Centric Infrastructure) is a data center fabric that utilizes many of virtualization concepts discussed so far. It uses VXLAN overlays and has a centralized control plane called APIC (Application Policy Infrastructure Controller). With ACI, an administrator doesn’t have to perform device-based configuration via CLI. Network-wide policies and profiles are translated by APIC and pushed to the devices.