Cross-Cloud Connectivity

Cross-Cloud Connectivity

Cross-Cloud Connectivity Diego Casati – Senior Software Engineer Commercial Software Engineering Cross-Cloud Connectivity What worked, what failed and lessons learned. Ignite your curiosity by showing a real Key objective use case of an engineering exercise. What? Why? Main() Where? How? Deploy Cassandra on What? top of Kubernetes spanning two clouds Wait? What? Let me check online Proactive exercise simulating Customers looking to (1) migrate Why? or have their workload (2) spanning in two clouds Why? • For replication (e.g.: backup) • To comply with a scheduled (1) migrate or have their workload downtime (e.g.: keep a service running by moving data between Data Centers) Why? • To increased availability • To provide load balancing (2) spanning in two clouds • To connect to an existing Data Center (e.g.: on premise) AWS Where? Azure site-to-site VPN between How? the clouds using open source components END-TO-END TOPOLOGY - NETWORK Microsof Azure VPC 192.168.0.0/16 Kubernetes subnet k8sDataTier 192.168.1.0/24 10.0.1.0/24 NSG IPsec IKEv2 Kubernetes Tunnel cluster Kubernetes Cluster AZ us-east-1d Common Vocabulary Acronym Explanation Jumpbox A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. VPN A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. AWS Vocabulary MIcrosof Azure VPC 192.168.0.0/16 Acronym ExplanationVPN subnet Kubernetes subnet 10.0.0.0/24 10.0.1.0/24 k8sDataTier 192.168.1.0/24 VPN 192.168.0.0/24 A virtual private cloudNSG (VPC) is a VPC NSG virtual network dedicated to your AWS account. EIP PIP Kubernet KuBernetes hvn0 OpenBSD hvn1 es OpenBSD xnf0 IPsec IKEv2 An Elastic IP address is a static, cluster xnf1 EIP 10.0.0.4 10.0.1.4 Cluster 192.168.1.87 192.168.0.254 Tunnel public IPv4 address designed for Management subnet ManageMent dynamic10.0.0.128/25 cloud computing. 192.168.0.128/25 EIP PIP A security groupNSG acts as aUDR virtual route taBle Security Group Jumpbox JuMpBox firewall for your instance to AZ us-east-1d control inbound and outbound traffic Destination Target 192.168.0.0/16 local 10.0.0/16 hvn1 / OpenBSD 0.0.0.0/0 Internet Gateway Azure Vocabulary Acronym Explanation MIcrosof Azure VPC 192.168.0.0/16 Azure Virtual Network enables VPN subnet Kubernetes subnet VNET 10.0.0.0/24 10.0.1.0/24 k8sDataTier 192.168.1.0/24 AzureVPN 192.168.0.0/24 resources to communicate NSG NSG with each other and the internet. A PIP is a public instanceEIP -level IP PIP PIP Kubernet KuBernetes hvn0 OpenBSD hvn1 es OpenBSDaddress associatedxnf0 with theIPsec VM IKEv2in cluster xnf1 10.0.0.4 10.0.1.4 Cluster 192.168.1.87 addition192.168.0.254 to the VIP. Tunnel Management subnet A networkManageMent security group (NSG) 10.0.0.128/25 NSG 192.168.0.128/25 contains a list of securityEIP rules PIP NSG UDR route taBle Jumpbox JuMpBoxthat allow or deny network traffic AZ us-east-1d to resources connected to Azure Virtual Networks (VNet). Destination Target Notes UDR User defined routes 192.168.0.0/16 10.0.1.4 OpenBSD's internal NIC Let’s breakdown the solution The solution – in pieces Solution AWS Azure Cassandra Kubernetes YAML files Helm Chart Kubernetes KOPS ACS-Engine Network VPN: OpenVPN? StrongSwan? Other IPSec solution? Cassandra Apache Cassandra is a free and open-source distributed NoSQL database management system designed to handle large amounts of data across many commodity servers, providing high availability with no single point of failure Kubernetes Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. https://www.redhat.com/en/topics/containers/what-is-kubernetes ACS-Engine https://github.com/Azure/acs-engine KOPS https://github.com/kubernetes/kops Network OSI Model – It’s 1999 all over again Application Presentation Session Transport Network Data Physical Application OpenVPN Presentation Session Transport Network IPSec Data Physical OpenVPN IPSec NIGHTMARE MODE IPsec and its RFCs – This is HARD! Fear not OpenIKED is here! OpenIKED is a FREE implementation of the Internet Key Exchange (IKEv2) protocol which performs mutual authentication and which https://www.openiked.org establishes and maintains IPsec VPN security policies and associations (SAs) between peers. The solution – in pieces Solution AWS Azure Cassandra Kubernetes YAML files Helm Chart Kubernetes KOPS ACS-Engine Network VPN: OpenIKED What failed? #FAIL! Attempt Approach Why it failed? #1 Site-to-site VPN between AWS’s Virtual Gateway Tunnels did not sync and Azure’s VPN Gateway Hard to troubleshoot #2 GRE tunnel between FreeBSD VMs Site-to-site VPN between AWS’s Virtual Gateway and #3 GIF tunnel between FreeBSD VMs Azure’s VPN Gateway #4 IPsec tunnel on FreeBSD (need either GRE or GIF…) What worked? #IT_WORKS! Attempt Approach Notes #1 SSH-based VPN For testing only. Overhead is too high. Refer to ssh(1) for details #2 VM to Gateway service (both AWS and Azure) WorKs for NVAs such as Cisco ASA’s #3 IKEv2 tunnel with OpenBSD IPsec. Easiest OSS option The solution – in pieces Solution AWS Azure Cassandra Kubernetes YAML files Helm Chart Kubernetes KOPS ACS-Engine Network VPN: OpenIKED on OpenBSD Why OpenBSD? 1. A FREE, multi-platform 4.4BSD-based UNIX-like operating system. 2. Proactive security (strlcpy, strlcat, W^X, privilege separation, …) 3. Many of our day-today tools in the base install (by default): • tmux, nvi, OpenSSH, mg (emacs-like), tcpdump, … 4. Infrastructure tools: • OpenIKED – IKEv2 Daemon • OpenBGPD – BGP daemon • OpenNTPD – NTP daemon • OpenOSPFD – OSPF daemon • OpenSMTPD – SMTP daemon • Relayd – L3/7 Load balancer • httpd – HTTP daemon • ACME-client – ACME certificate client • Rebound – DNS proxy • PF - firewall Why OpenBSD? Problem: Solution: - Bake your own image. - Vanilla image available on AWS or - Based on scripts from core OpenBSD Azure. devs (folks from Esdenera): qemu, - Option to use Esdenera Firewall 3 Makefile et al. (NVA based on OpenBSD). - While doing this, 3 PRs were opened to - Our current documentation is not fix issues (AWS and documentation). working – Needs TLC. - All files on Github: - https://github.com/dcasati/cloud- openbsd - https://github.com/dcasati/ports- azure END-TO-END TOPOLOGY - NETWORK MIcrosof Azure VPC 192.168.0.0/16 VPN subnet Kubernetes subnet 10.0.0.0/24 10.0.1.0/24 k8sDataTier 192.168.1.0/24 VPN 192.168.0.0/24 NSG NSG EIP PIP Kubernet KuBernetes hvn0 OpenBSD hvn1 es OpenBSD xnf0 IPsec IKEv2 cluster xnf1 10.0.0.4 10.0.1.4 Cluster 192.168.1.87 192.168.0.254 Tunnel Management subnet ManageMent 10.0.0.128/25 192.168.0.128/25 EIP PIP NSG UDR route taBle Jumpbox JuMpBox AZ us-east-1d Destination Target Destination Target Notes 192.168.0.0/16 local 192.168.0.0/16 10.0.1.4 OpenBSD's internal NIC 10.0.0/16 hvn1 / OpenBSD 0.0.0.0/0 Internet Gateway AWS MIcrosof Azure VPC 192.168.0.0/16 1. Create a VPC with a large network (e.g.: VPN subnet Kubernetes subnet 192.168.0.0/16) 10.0.0.0/24 10.0.1.0/24 k8sDataTier 192.168.1.0/24 VPN 192.168.0.0/24 2. Carve 3 subnets (k8sDataTier,NSG Management,NSG VPN) 3. Create the OpenBSD VM with two NICs a) For each NIC disable source/dest check EIP PIP Kubernet KuBernetes 4. Add the route to Azurehvn0 (e.g.:OpenBSD 10.0.0.0/8)hvn1 es OpenBSD xnf0 IPsec IKEv2 cluster xnf1 10.0.0.4 10.0.1.4 Cluster 192.168.1.87 192.168.0.254 Tunnel5. Allow traffic on the Security Groups (ports 500, 4500 UDP) Management subnet ManageMent 10.0.0.128/25 192.168.0.128/25 6. Attach an Elastic IP to the OpenBSD interface on the EIP PIP NSG UDR route taBle VPN subnet. Jumpbox JuMpBox AZ us-east-1d 7. Configure OpenIKED. Destination Target 192.168.0.0/16 local 10.0.0/16 hvn1 / OpenBSD 0.0.0.0/0 Internet Gateway Azure MIcrosof Azure 1. Create aVPC VNet 192.168.0.0/16with a large network (e.g.: 10.0.0.0/8) VPN subnet Kubernetes subnet 2. Carve 3 subnets (k8sDataTier, Management, VPN) 10.0.0.0/24 10.0.1.0/24 k8sDataTier 192.168.1.0/24 VPN 192.168.0.0/24 3. Create the OpenBSD VM with two NICs (via Azure CLI) NSG NSG a) For each NIC enable IP forwarding 4. Add the route to Azure (e.g.: 192.168.0.0/16)EIP on the UDR PIP Kubernet KuBernetes hvn0 OpenBSD hvn1 es 5. Allow traffic on the SecurityOpenBSD Groupsxnf0 (ports 500, 4500IPsec UDP) IKEv2 cluster xnf1 10.0.0.4 10.0.1.4 Cluster 6. Attach a Public192.168.1.87 IP to the OpenBSD192.168.0.254 interface on the VPNTunnel Management subnet subnet. ManageMent 10.0.0.128/25 7. Configure OpenIKED. 192.168.0.128/25 EIP PIP NSG UDR route taBle Jumpbox JuMpBox AZ us-east-1d Destination Target Notes 192.168.0.0/16 10.0.1.4 OpenBSD's internal NIC OpenBSD Configuration /etc/iked.conf ----------------------------------------------------------------------------------- local_gw = "51.143.95.27" remote_gw = "34.233.91.14" local_net = "10.0.0.0/16" remote_net = "192.168.0.0/16” kops_net = "100.64.0.0/10" state = "active" ikev2 $state ipcomp esp \ from $local_gw to $remote_gw \ from $local_net to $remote_net peer $remote_gw \ psk "1BigSecret” ikev2 $state ipcomp esp \ from $local_gw to $remote_gw \ from $kops_net to $remote_net peer $remote_gw \ psk "1BigSecret” OpenBSD Commands # rcctl enable iked # rcctl start iked # sysctl –w net.inet.ip.forwarding=1 To check if Ipsec is working: # ipsecctl –sa Lessons Learned Pressing all of the right buttons Default VPC route table missing entries Problem Statement No traffic Deploy Cassandra on

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    62 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us