akyriako/blueprints
1
0
Fork 0
forked from docs/blueprints
Code Pull Requests Activity
blueprints/doc/source/caf/ready/network-planning.rst
Kyriakos Akriotis a8098045a7 - change typos in rst components
2023-11-30 12:20:52 +01:00

360 lines
17 KiB
ReStructuredText
Raw Blame History

Network Planning
^^^^^^^^^^^^^^^^
An enterprise migration to the cloud requires proper planning of the
network architecture. You need to review the current status of the data
center network and operational model and translate them as multi-account and network design plans on
the cloud (including VPCs, subnets, and communication between cloud and on-premises networks).
On-Premises Network Review
''''''''''''''''''''''''''
Review the current status of the on-premises data center network to plan
for the cloud account and networking.
- Functions and service bearing of each data center.
- Mapping between on-premises data centers and regions and AZs on the
cloud.
- Network architectures and partitions within and between data centers.
- Application system distribution and data flow between services.
Cloud Network Account Design
''''''''''''''''''''''''''''
Plan cloud accounts based on the network plan. There are three scenarios
to consider:
- **One account and one VPC**: Account management and O&M are easy as there
is a small team but security is low.
- **One account, multiple VPCs**: Account management is easy and there is
better security. The VPCs are designed for different functions and
have different access control rules.
- **Multiple accounts or primary account and sub-accounts, multiple VPCs**:
Account management is more challenging as there is a large team with
multiple branches and complex services, and meeting security
requirements can be challenging too. If multiple VPCs are deployed in
the same region, enterprise router should be used to connect them. If
multiple VPCs are deployed in different regions, you can use Cloud
Connect.
The first and second scenarios are *simple*. They mainly involve VPC and
subnet planning. For details, see section "Cloud Networking
Planning and Design". **The following section will be focused on the third
scenario**.
The following figure shows a multiple account, multiple VPC network
architecture.
|
.. image:: ../../assets/caf/image15.png
|
At the core of this architecture is the *network operations account*,
which serves as a hub to connect different accounts. Its enterprise
router allows communication between resources of different accounts. The
enterprise router lets you configure routes to determine which VPCs can
communicate with each other.
A large service system usually has independent sub-accounts. You are
advised to create three VPCs:
- a production VPC
- a development VPC
- and a test VPC
These VPCs are kept isolated from each other for the
service system. Each VPC must have *at least two subnets*: an
application subnet and a data subnet. These correspond to,
respectively, the application layer and data layer of the service
system. Network ACLs are then used for access control between
subnets. Resources such as ECSs, DCS instances, and RDS instances can
be added to security groups for instance-level access control based
on security group rules. Application clusters of service systems can
be deployed across AZs to ensure high availability at the application
layer. The active/standby database clusters and DCS clusters across
AZs on Open Telekom Cloud are used to ensure high availability at the data
layer.
.. image:: ../../assets/caf/image16.png
.. note::
It is a best practice to create an enterprise project for each
small-scale service system, associate the resources of each system in
the production, development, and test VPCs with the same enterprise
project or tag, and perform cost collection and fine-grained
authorization based on the enterprise project or tags.
Cloud Networking Planning and Design
''''''''''''''''''''''''''''''''''''
.. image:: ../../assets/caf/image10.png
VPCs and Subnets
****************
VPC is a virtual private cloud. It is a logical isolated environment that all the networking components
live, e.g. subnets, security groups, routing tables, gateways etc.
VPCs
````
- Each VPC can have **up to** 5,000 IP addresses.
- VPCs are isolated by default. Enterprise routers can be used to allow communication between VPCs.
- There are O&M VPCs, DMZ VPCs, and service VPCs. Different VPCs are connected through enterprise routers.
- Each service VPC belongs to an independent service system or a department. Service systems or departments that do not need to access each other are deployed in different VPCs.
- VPCs can be deployed across AZs. Services can be deployed in such VPCs for high availability.
- By default, the production VPC is isolated from the development and test VPCs and no VPC peering connection is established. You are advised to use OBS for data transmission.
Subnets
```````
- Enterprise subnets must be planned to prevent them from overlapping
with each other.
- Subnets in the same VPC cannot overlap. Subnets in VPCs that need to
communicate cannot overlap.
- Different service systems should be deployed in different subnets.
You can use network ACLs to control access between subnets.
- Different subnets should be used for application deployment and data
storage. By default, data subnets can only be accessed by application
subnets. Application subnets can be accessed by other subnets or from
the Internet if required.
- O&M subnets allow access from other subnets if needed.
Internet communication on the cloud
***********************************
**Solution 1:** With WAF for web service protection
.. image:: ../../assets/caf/image19.png
#. Enable Anti-DDoS for EIPs for traffic scrubbing. If the traffic is heavy, use Advanced Anti-DDoS.
#. Configure the CNAME in DNS to redirect domain names to WAF.
#. Use WAF to protect the web domain names and then redirect traffic to ELB.
#. Use an ELB whitelist to allow access only from the WAF IP addresses.
#. Use the security group of ECSs in the application subnet to allow access only from specific IP address ranges over specific ports.
#. Use the network ACL of the application subnet to allow communication with only WAF IP addresses and the database subnet.
#. Use the network ACL of the database subnet to allow access only from the application subnet to the database IP address and port.
#. Use the security group of the database to restrict the ports and IP address ranges that it can access.
#. Host security and database security are alternative services.
**Solution 2:** Without WAF for web service protection
.. image:: ../../assets/caf/image20.png
#. Enable Anti-DDoS for EIPs for traffic scrubbing. If the traffic is heavy, use Advanced Anti-DDoS.
#. Configure the DNS to resolve the domain name to the EIP of the ELB.
#. (Optional) Use an ELB whitelist and blacklist to allow access only from specific IP address ranges.
#. Use the security group of ECSs in the application subnet to allow access only from specific IP address ranges over specific ports.
#. Use the network ACL of the application subnet to allow communication with only the database subnet.
#. Use the network ACL of the database subnet to allow access only from the application subnet to the database IP address and port.
#. Use the security group of the database to restrict the ports and IP address ranges that it can access.
#. Host security and database security are alternative services.
Cloud O&M network
*****************
.. image:: ../../assets/caf/image21.png
#. Enterprise maintenance personnel can access the enterprise internal
network through the public O&M VPC and then perform O&M on cloud
resources through the CBH.
#. The public O&M VPC communicates with other VPCs through the
enterprise router. Network ACLs are configured to allow on-premises
subnets to access only the subnets that provide services externally
on the cloud. All instances are maintained only through the O&M subnet.
#. The network ACL and security group of the O&M subnet allow access only from specific on-premises subnets.
#. Each VPC uses a network ACL to allow communication with the O&M subnet on specific ports.
#. All maintenance operations must be performed on the CBH. The operation processes are recorded and can be audited.
Cloud and on-premises network communication
*******************************************
The following table compares the services that can be used to connect
cloud and on-premises networks. You can select one based on your
requirements.
+----------+------------+-------------+-------------+------------------+
| Co | | Direct | VPN | SD-WAN Network |
| mparison | | Connect | | |
| Item | | | | |
+==========+============+=============+=============+==================+
| Arch | Network | High, | Low, no | Medium |
| itecture | quality | guaranteed | guaranteed | |
| | | SLA | SLA | The Internet is |
| | | | | connected to the |
| | | | | nearest POP |
| | | | | ( |
| | | | | active/standby). |
| | | | | Direct Connect |
| | | | | uses the |
| | | | | backbone network |
| | | | | and ensures the |
| | | | | network SLA on |
| | | | | OTC. |
+----------+------------+-------------+-------------+------------------+
| | Network | Low, billed | High, | Medium, billed |
| | f | annually, | pay-per-use | annually, |
| | lexibility | bandwidth | billing, | bandwidth can be |
| | | not easy to | can be | flexibly |
| | | adjust | adjusted at | adjusted |
| | | | any time | |
+----------+------------+-------------+-------------+------------------+
| | Hardware | Universal | Universal | Independently |
| | dependency | router | VPN device | purchased SD-WAN |
| | | | | devices |
+----------+------------+-------------+-------------+------------------+
| | Extended | None | None | Security and |
| | services | | | acceleration |
| | | | | services |
+----------+------------+-------------+-------------+------------------+
| Cost | Line | High, 10X | Low, 1X | Medium, 3X |
+----------+------------+-------------+-------------+------------------+
| | Time | Months | Hours | Days (including |
| | required | | | equipment |
| | | | | delivery) |
+----------+------------+-------------+-------------+------------------+
| | M | P | P | No professional |
| | aintenance | rofessional | rofessional | maintenance |
| | | maintenance | maintenance | personnel |
| | | personnel, | personnel, | required, easy |
| | | no unified | no unified | on-premises |
| | | management | management | configuration, |
| | | | | unified cloud |
| | | | | management, and |
| | | | | guaranteed |
| | | | | network quality |
+----------+------------+-------------+-------------+------------------+
Connect networks of on-premises data centers, campus, branches, and mobile offices to Open Telekom Cloud
********************************************************************************************************
.. image:: ../../assets/caf/image22.png
On-premise data center/campus
`````````````````````````````
The on-premises data center or campus
is connected to Open Telekom Cloud securely and reliably, can access the
Internet through the resources on the cloud to reduce costs, and can
directly use public cloud services through the private network.
**Solution 1:** Use Direct Connect (one or two private lines) to connect
to Open Telekom Cloud public O&M VPC.
**Solution 2:** Use IPsec VPN to connect to Open Telekom Cloud public O&M VPC.
Branches
````````
An enterprise with multiple branches needs to connect each
of its branch networks to Open Telekom Cloud in a secure and low-latency way.
**Solution 1:** Use IPsec VPN to connect to Open Telekom Cloud public O&M VPC.
**Solution 2:** Use the VPN or the Direct Connect connection of the
on-premises data center or campus to connect to Open Telekom Cloud public O&M
VPC.
Mobile offices or stores
````````````````````````
An enterprise may have many offline stores
or branches. Business systems such as mobile POS systems need to
interact with cloud systems (such as ERP) in real time and require
robust encryption and low network latency. The security and stability of
a public network cannot be guaranteed, and Direct Connect is an
expensive solution.
**Solution 1:** Use an SSL VPN to connect to a Open Telekom Cloud public O&M
VPC.
**Solution 2:** Use the VPN or Direct Connect of the on-premises data
center or campus to connect to Open Telekom Cloud public O&M VPC.
Migration of on-premises servers to the cloud without IP address changes
````````````````````````````````````````````````````````````````````````
Sometimes, to ensure service continuity, the customer does
not want to change the IP addresses of their systems after the
systems are migrated to the cloud.
**Solution:** T-Systems provides L2CG to allow cloud and on-premises
networks to communicate at Layer 2. Migration can be performed on an IP
address basis and IP addresses can remain unchanged to ensure that
services are not affected during the migration.
.. image:: ../../assets/caf/image23.png
On-premises data center access through the private network
``````````````````````````````````````````````````````````
Instead of using an Internet connection, enterprise users access
cloud services (such as OBS, SWR, and API Gateway) directly over a
private network.
**Solution:** After an on-premises data center connects to Open Telekom Cloud
through Direct Connect or VPN, the data center can access cloud services
through the private network using VPC endpoint, which is secure,
efficient, and cost-effective.
.. image:: ../../assets/caf/image24.png
On-premises data center accessing the Internet through Open Telekom Cloud
`````````````````````````````````````````````````````````````````````````
If the public network used by the data center is of poor
quality and expensive, the data center can be connected to Open Telekom
Cloud through Direct Connect. Then it can use the resources on the
cloud to access the Internet, both reducing costs and improving the
quality of their public network access.
**Solution 1:** With Direct Connect and DNAT, on-premises and cloud
networks share a public network egress.
**Solution 2:** With Direct Connect and SNAT, campus offices share the
cloud public network egress for Internet access.
.. image:: ../../assets/caf/image25.png
Overlapping IP address ranges
`````````````````````````````
Suppose the departments of an
enterprise use overlapping subnets. The enterprise has decided to
migrate to the cloud, but they want to keep the subnets unchanged,
and they need them to be able to communicate with each other after
they are migrated.
**Solution:** Open Telekom Cloud provides private NAT gateways for private IP
address mapping. As shown in the following figure, you can create a
transit VPC and use a private NAT gateway to convert the IP address of a
service department. IP address 192.168.0.3, of the service department,
is mapped to 10.0.0.33, and 192.168.0.3, of the security department, is
mapped to 10.0.0.22. In this way, the two departments can communicate
with each other even though their subnets overlap.
.. image:: ../../assets/caf/image26.png
Cloud and on-premises load balancing
````````````````````````````````````
In this scenario, some
services are still in the on-premises equipment room and use ELB on
the cloud to provide services for external systems. Cloud resources
supplement the data center capacity to handle traffic peaks.
**Solution:** Use ELB to distribute traffic requests for both cloud and
on-premises resources.
.. image:: ../../assets/caf/image27.png
.. toctree::
:maxdepth: 1
View Git Blame Copy Permalink