Hello /r/networking - I wanted to get some feedback on an updates to my company's network to meet a few business requirements
The business requirements include:
- Zero trust security model, subnet A cannot reach IP/subnet N on port X without an explicit rule permitting the traffic
- Enable access to AWS VPC private networks from an environment (staging,prod) in the Data Center to the respective environment in AWS
- Maintain virtual seperation/isolation of environments both behind and infront of each Data Center's firewall
- Plan for scalability, enable flexible integration with future Data Center locations
For brevity's sake we will assume we have two development environments, staging and production. Currently our other Data Center is not active yet, but it will be and will be deployed in an active/active setup.
Recently I have turned up our AWS direct connect link and enabled public routing with them, and soon will be enabling routing for our private VPC subnets as well.
I wanted to isolate traffic in each of the development environments even outside of the firewall, and I was thinking about implementing MPLS to utilize VRFs in order to do just that. Additionally, I believe using MPLS will help when we start to turn up our other active Data Center and the like environments need to talk to eachother. Here, the outside interface of the Firewall would consist of multiple sub-interfaces with each sub-interface placed in a different VRF for each environment, then finally one interface for public routing (outside).
I've deployed this exact setup in GNS3 and so far I like it, each vrf routing table for our development environments are exactly how I want them - they only have routes to each data center's environment specific subnets, as well as the specific environment in AWS. So just one summarized subnet for each data center, and a subnet for each VPC advertised from AWS.
Basically if traffic from Data Center A, environment production needs to talk to some host in Production in Data Center B, traffic would leave the Firewall out the sub-interface placed in VRF production, traverse the network to Data Center B within VRF production, and reach the firewall at Data Center B.
The downside here is the obvious increase in complexity/configuration to deploy the infrastructure (though it should be pretty static once implemented). I would obviously be running iBGP across the Data Centers, and utilizing a pair of route-reflectors in each DC to reduce the BGP neighbor mesh configuration.
I come from a service provider background so I am familiar with the implementation of MPLS which is why I tended to lean towards utilizing it here.
Could anyone point out some causes for concern with my suggested implementation/suggest improvements I hadn't considered, or if there are better alternatives to MPLS I can research to meet my business requirements? Especially for an Active/Active data center and the DCI links.
I don't have to worry about vMotion or any VM mobility across data centers. The only sychronization taking place will be the databases and storage (I believe).
I'm the only Network Engineer here so I don't have a lot of others to bounce idea's off of or get feedback from.
Thanks!
No comments:
Post a Comment