DDoS and Cloud Access Services - maxgigapop.net...Peering (TR-CPS) Do you require access to multiple...
Transcript of DDoS and Cloud Access Services - maxgigapop.net...Peering (TR-CPS) Do you require access to multiple...
DDoS and Cloud Access Services
MAXParticipantsMeetingApril25,2018GeorgeK.LoftusAVPNetworkServices,Internet2
• Internet2 in conjunction with MAX offers a cloud-based Distributed Denial of Service (DDoS) Mitigation Service provided by Zenedge/Oracle.
• Subscribers to the service are able to direct attack traffic to Zenedge, and carry the clean traffic back to them on their existing Internet2/MAX connection.
Internet2 vDDoS Mitigation Service
CommodityInternet
Subscriber
Internet2Network
DivertedattacktrafficCommoditytrafficCleantrafficreturnpath
ScrubbingCenter
Protectingcommoditytraffic
Tenant
• The Subscriber has access to an aggregated amount of ‘clean pipe” service (10G) to which the community has subscribed.
• MAX has a commit rate of 1G of clean pipe capacity but is allowed to burst into the available capacity on the clean pipe (up to 10G)
• Each Subscriber and Tenant will have access to Security Operations Center (SOC), a services portal and a direct connection via Internet2/MAX back to its edge.
Internet2 DDoS Mitigation Service
• Provides coverage for commodity traffic and R&E traffic • IPv4 and IPv6 • Coverage of unlimited number of events
• Traffic is returned via a vrf provisioned during service onboarding
• Scrubbing is signaled via eBGP peering with provider SOC • Provider will announce /24 (IPv4) subnet globally to draw traffic to
the scrubbing center and returned to connector/campus
[5]
Internet2 DDoS Mitigation Service
[ 6 ]
Cloud Access Services
CloudExchange CloudConnect
Useofthecommunity’sexisting800Gbps+oflayer3peeringcapabilitiestothemajorcloudprovidersforadvanced,communityenabledaccesstocloudservices.
EnablingtheInternet2&Regionalinfrastructurestooffer“direct-connect”privateLayer2andLayer3accesstoMicrosoft,AmazonandGooglecloudplatforms.
CLOUDEXCHANGEavailabletoRegionalmembers
today,atnoadditionalfee
• Regionalprovidesitsmemberswithdirectaccesstoover15cloudserviceprovidersontheCloudExchange• CloudExchangeallowsRegionalmemberstohavehighperformingon-netaccesstocloudserviceproviders,avoidingthecommodityinternet
andreducinglatency• RegionalengineershavetheabilitytoreviewandoptimizememberconnectionstotheCloudExchange—alongtheentirepathtohelpmembers
makethemostoftheircloudconnections• CloudExchangewasdesignedfromthegrounduptofocusonhostingcloudprovidersmostvaluedbytheResearch&Educationcommunity• Member
MAX
Internet2 Cloud Access Request Workflow
End
Start: Need to access the cloud
using R&E Networks?
Answer: Utilize Internet2/Regional Cloud Exchange
Peering (TR-CPS)
Do you require access to multiple providers and/or
locations?
Answer: Consider Cloud Connect (Direct Connect)
to Cloud providers
Do you require a private network connection to
extend your data center in to the cloud using private
address space or your own public address
space?
Yes
No
No
YesEnd
End
Contact Internet2 or your regional about Cloud Connect Layer 2 and
Layer 3 features.
Contact Internet2 or your regional about point to point wave or layer 2
solutions to the cloud.[ 10 ]
RegionalNetwork
Internet2Backbone
MicrosoftAzure
MSAzure
Router 1
MSAzure
Router 1
Internet2ASHB 2
(rtr)
Internet2ASHB 1(sdn-sw)
Internet2Router
Internet2Router
Router
Router
Router
Router
CampusNetwork
CampusRouter
CampusRouter
AL2S CircuitsRegional Layer2
Circuits
*Whileend-to-endredundancyisshown,redundancyisonlymandatoryfortheinterconnectbetweenInternet2andMicrosoft.
Layer 2 – AL2S Circuit Option
[ 11 ]
RegionalNetwork
Internet2Backbone
MicrosoftAzure
MSAzure
Router 1
MSAzure
Router 1
Internet2ASHB 2
(rtr)
Internet2ASHB 1(sdn-sw)
Internet2Router
Internet2Router
Router
Router
Router
Router
CampusNetwork
CampusRouter
CampusRouter
Regional Layer2Circuits L3VPN
*Whileend-to-endredundancyisshown,redundancyisonlymandatoryfortheinterconnectbetweenInternet2andMicrosoft.
Layer 3 – MPLS L3VPN Option
[ 12 ]
RegionalNetwork
Internet2Backbone
MicrosoftAzure
MSAzure
Router 1
MSAzure
Router 1
Internet2Router
Internet2Router
Internet2Router
Internet2Router
Router
Router
Router
Router
CampusNetwork
CampusRouter
CampusRouter
Internet2Router
Internet2Router
Internet2Router
Internet2Router
Regional Layer2Circuits
Internet2L3VPN
OtherAzure
Region
MSAzure
Router 2
AmazonDirect
Connect
AWSRouter 1
MSAzure
Router 1AWS
Router 2
GoogleCloud
Platform
GCPRouter 2
GCPRouter 1
OtherCollaboratorsOther
CollaboratorsOtherCollaborators
Imagining Future Multi-cloud Community Use Case
[ 13 ]
Cloud Connect – Current Status
• Microsoft:• Access:
• Available:Ashburn&Chicago• NextSite:DallasJune‘18• Future:WestCoast-BayAreaFall‘18
• Membersconnected:• OSHEAN–Layer2&Layer3• GeorgiaTech–Layer3• Vanderbilt–Layer2
• Amazon:• Access:
• Available:Ashburn&Chicago• NextSite:DallasJuly‘18• Future:WestCoast–BayAreaFall‘18
• Membersconnected:• MCNC–workingtobringuppilotconnection• UniversityofMichigan–workingtobringuppilot• OSHEAN–workingwithBrownUniversity• GeorgiaTech-workingtobringuppilotconnection
• Google:• Access:
• Available:Chicago• Ashburn,Dallas,BayAreaplanned
TBD
[ 14 ]