Overview
Introduction
Many enterprises use the SDN-WAN technology to connect branch networks. Due to the adoption of public cloud offerings, enterprises also need to connect their SD-WAN networks to the networks in the cloud. To meet this goal, most enterprises use SD-WAN images provided by SD-WAN providers to install vCPEs on virtual machines in the cloud. This topic describes how to use a third-party SD-WAN appliance and the existing cloud networking capabilities to efficiently, securely, and reliably connect branch networks to the cloud.
Terms
SD-WAN: SD-WAN is a wide area network that uses software-defined networking technology. It logically decouples the control plane and data plane, and centrally manages and controls these planes in order to conduct intelligent management and optimization for distributed networks.
Virtual Private Cloud (VPC): VPCs are private networks on Alibaba Cloud. You have full control over your VPC. For example, you can specify the CIDR block and configure route tables and gateways for your VPC. You can also deploy Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, and Server Load Balancer (SLB) instances in your VPC.
Cloud Enterprise Network (CEN): CEN is a highly available network built on top of the global private network of Alibaba Cloud. CEN uses transit routers to establish cross-region connections between VPCs. This enables VPCs to communicate with data centers and establish flexible, reliable, and enterprise-class networks in the cloud.
Express Connect: Express Connect allows you to establish a fast, stable, secure, and private connection between your data center and a VPC. Express Connect circuits ensure secure data transmission, prevent network jitters, and reduce the potential for data breaches.
Design principles
Design highlights of the architecture:
Stability: The networking service is used to handle internal business traffic. Therefore, the stability of connections in a hybrid cloud or multi-cloud network architecture is the key. Once the connections are closed, communication between the on-cloud businesses and on-premises businesses is interrupted. This may even cause the unavailability of core businesses. Therefore, stability is the key to designing a reliable multi-cloud or hybrid-cloud network architecture.
Security: A hybrid cloud or multi-cloud network architecture usually involves inter-network communication. The internal businesses also require different security levels. Inter-network communication for important businesses must be designed based on the controllability and least privilege principles in order to prevent data breaches and permission abuse.
Self-service: This solution involves the configuration and delivery of third-party SD-WAN networks, which increases the O&M engineer training cost. The efficiency of deployment, delivery, and maintenance of this solution in the cloud is important to the long-term adoption of SD-WAN appliances. Alibaba Cloud has worked closely with multiple partners and brands to provide service support for the delivery of third-party products on Alibaba Cloud.
Key design
Stability
Connection disaster recovery
Connections that connect branch networks to the cloud. The underlay network that connects branch networks to Alibaba Cloud must use lines leased from different ISPs to ensure high availability. For example, use the following combinations: Internet and leased lines, 4G networks and broadband, or China Telecom and China Unicom. Disaster recovery is implemented based on the connection switchover capability of SD-WAN. You need to contact your SD-WAN appliance provider to confirm the solution. To design an HA architecture that uses leased lines, refer to the high reliability mode of Express Connect.
Intra-region connections: Alibaba Cloud guarantees the high availability of data transmission across zones and VPCs within the same region. Redundant connections are created over optical fibers across zones within a region for high redundancy and failovers are completed within milliseconds.
Inter-region connections: Alibaba Cloud guarantees the high availability of cross-region connections created based on CEN. At lease three cross-region lines are leased between every two nodes for primary/secondary failovers. The multi-plane network anomaly detection technology is used for optimal path selection to ensure that failovers are completed within seconds.
NE disaster recovery
Cloud networking
Cloud-native network elements (NEs): Express Connect Routers (ECRs) support cross-zone disaster recovery and also allow you to deploy multiple clusters in a single zone for disaster recovery. This prevents business interruptions caused by single points of failure. Transit routers support cross-zone disaster recovery. Transit routers can route traffic to elastic network interfaces (ENIs) in the nearest zone. When the ENI in the nearest zone is down, transit routers automatically route traffic to healthy ENIs in other zones. Each ENI is associated with multiple transit routers to prevent single points of failure.
Third-party SD-WAN NEs: We recommend that you deploy the third-party SD-WAN images across zones in a separate VPC. Connect the SD-WAN networks to transit routers through IPsec-VPN connections, use BGP to synchronize routes, and use BGP dynamic routing to implement auto failovers. Consult your SD-WAN appliance providers for the solution. For more information, see Connect a third-party SD-WAN appliance to a transit router to establish communication between data centers and VPCs.
Security
Configure a transit VPC
The transit VPC functions as a safe buffer for communication between on-cloud and on-premises networks. You can configure firewalls or intrusion detection systems in the transit VPC to monitor and filter traffic.
The transit VPC enables you to limit the users and devices that are allowed to access specific network resources in a fine-grained manner.
The transit VPC is ideal for monitoring and recording traffic forwarded between the on-cloud and on-premises networks.
Configure a security service chain
Use transit routers to route east-west traffic from SD-WAN networks to VPC firewalls or third-party firewalls for auditing.
When you use transit routers to set up a security service chain, choose the most specific routes.
Configure security groups and network ACLs properly: Create security groups and network ACLs to limit inbound and outbound VPC traffic. For example, you can configure security group rules for each instance or service to allow access only to the specified ports or over the specified protocols.
Performance
Encryption algorithms: In this solution, traffic passes through a large number of NEs from end to end and IPsec-VPN is used to encrypt traffic. The encryption and decryption algorithms of VPN affect the network latency and maximum bandwidth of individual connections. You must pay close attention to them if your businesses are sensitive to latency. If the bandwidth of the VPN gateway is 200 Mbit/s or higher, we recommend that you select the aes, aes192, or aes256 encryption algorithm. The 3des encryption algorithm is not recommended. aes is a symmetric-key encryption algorithm that provides high-strength encryption and decryption. It ensures secure data transmission and has minor impacts on the network latency, throughput, and forwarding performance. 3des is a triple data encryption algorithm. It compromises the forwarding performance because it is time-consuming and complex.
Latency: In latency-sensitive scenarios, make sure that all network resources are deployed in the same zone. For more information, consult your Alibaba Cloud architect.
Bandwidth: In this solution, the total bandwidth for cloud migration depends on the bandwidth of the data egress of the on-premises networks, the bandwidth of the lease lines, the performance of the third-party SD-WAN networks, and the bandwidth of the IPsec-VPN connections. The bandwidth of an IPsec-VPN connection can reach up to 1,000 Mbit/s. If you require higher bandwidth and more IPsec-VPN connections for ECMP routing, contact your SD-WAN appliance providers to confirm whether BGP ECMP routing is supported. For more information about creating multiple IPsec-VPN connections for load balancing, see Create multiple IPsec-VPN connections over the Internet for load balancing.
Resilience
This solution does not endow resilience. The end-to-end connection resilience depends on the bandwidth of the data egress of the on-premises networks, the bandwidth of leased lines, and the performance of third-party SD-WAN networks. If you want to increase the total bandwidth, assess the performance of the connections, CPEs, and SD-WAN appliance.
Observability
Use Network Intelligence Service (NIS) and flow logs to monitor traffic in the cloud:
Intra-region traffic analysis: Analyze the traffic that passes through transit routers from VPCs to VPCs within the same region based on the flow logs of the VPCs and transit routers. The traffic data is displayed in the form of 1-tuple (instance), 2-tuples (cloud IP addresses and peer IP addresses), and 5-tuples (cloud IP addresses, cloud ports, protocols, peer IP addresses, and peer ports).
Hybrid cloud traffic analysis: Analyze the traffic that passes through transit routers and VBRs from VPCs to data centers based on the flow logs of the transit routers. The traffic data is displayed in the form of 1-tuple (instance), 2-tuples (cloud IP addresses and peer IP addresses), and 5-tuples (cloud IP addresses, cloud ports, protocols, peer IP addresses, and peer ports).
Self-service
Alibaba Cloud provides various methods for you to deploy third-party SD-WAN images in the cloud.
Console: You can directly purchase third-party SD-WAN images from Alibaba Cloud Marketplace in the CEN console.
For more information, see Connect a third-party SD-WAN appliance to a transit router to establish communication between data centers and VPCs.
Compute Nest: Find suitable networking solutions in the service marketplace of the Compute Nest console.
Best practices
Transit VPC design
Install third-party SD-WAN images on ECS instances in the transit VPC and use a third-party SD-WAN controller to manage the images. Purchase EIPs and connect the EIPs to VPN gateways in branch networks through public IPsec-VPN tunnels. Use private IP addresses and IPsec to create private IPsec-VPN tunnels.
Region selection:
To access VPCs in certain regions from a branch network or enable branch networks to communicate, create a transit VPC in the nearest region.
To access VPCs in a region from a branch network, create a transit VPC in the region.
IPsec-VPN connection design (connect branch networks)
Region selection: Create IPsec-VPN connections in the region of the transit VPC.
Two IPsec-VPN connections for ECMP routing:
Alibaba Cloud: Configure two IPsec-VPN connections and create attachments to a transit router. Add routes to the route table of the transit route to route traffic to the two IPsec-VPN connections for ECMP routing. This way, cross-zone IPsec-VPN connection redundancy is guaranteed and the total bandwidth of IPsec-VPN tunnels is increased (1 Gbit/s per tunnel x Number of tunnels).
Third-party SD-WAN images: Install a third-party SD-WAN image on two ECS instances. Create a public IPsec-VPN tunnel and a private IPsec-VPN tunnel between each SD-WAN appliance and the VPN gateway in the branch network, and create a public IPsec-VPN tunnel and a private IPsec-VPN tunnel between each SD-WAN appliance and each IPsec-VPN connection. Enable BGP routing on both sides. When an SD-WAN appliance is down, BGP automatically converges routes and fails over to another path.
Branch networks: We recommend that you prepare two gateway devices and create a tunnel on each gateway device. Specify the two gateway devices as next hops for ECMP routing. This way, multi-gateway device (multi-tunnel) disaster recovery is implemented and the total bandwidth of IPsec-VPN tunnels is increased (1 Gbit/s per tunnel x Number of tunnels).
For more information, see Limits.
Transit router design
Attachments for the transit VPC: Build an underlay network by creating private IPsec-VPN tunnels between the third-party SD-WAN appliance and private IPsec-VPN connections.
Attachments for private IPsec-VPN connections: Connect the third-party SD-WAN appliance to transit routers.
Attachments for intra-region production VPCs and VBRs: Connect branch networks to production VPCs and VBRs.
Create cross-region connections to transit routers in other regions.
Configure transit router route tables and routing policies to control route learning and advertisement between IPsec-VPN connections and production VPCs.
For more information, see Limits.
Integratable third-party SD-WAN
For integratable third-party SD-WAN, visit https://cen.console.alibabacloud.com/cen/market.
Scenarios
Connect data centers to the cloud
During cloud migration, enterprises need to connect data centers to the cloud. The traditional networking solutions that use lease lines are time-consuming and pricy. The VPN solution has limits in global network O&M and high bandwidth usage scenarios. The SD-WAN solution can efficiently reduce networking costs and reduce the amount of time required for setting up the networks. In addition, it allows enterprises to make full use of existing lease lines or the Internet for cost-efficiency.
Connect branch networks
The rapid expansion of businesses poses great challenges in connecting branch networks to the network of the headquarters system securely and efficiently. Employees in branch offices usually are not familiar with the IT industry. Therefore, the IT engineers in the headquarters may need to connect thousands or even tens of thousands of networks. They need an efficient networking solution. Powered by the third-party SD-WAN solution provided by Alibaba Cloud, enterprises can configure and centrally manage large numbers of branch networks.
Accelerate office networks
More and more enterprises need to send employees to offices outside China for global business expansion. In this scenario, the quality and success of businesses depend on the quality of long-distance data transmission. The third-party SD-WAN solution uses cross-region transport resources provided by Alibaba Cloud CEN to greatly improve the quality of long-distance content delivery. CEN is ready for use after activation and uses the pay-as-you-go billing method to help you reduce costs. In addition, it allows you to scale resources on demand to help you quickly expand your businesses in global markets.