DDoS and Cloud Access Services

MAXParticipantsMeetingApril25,2018GeorgeK.LoftusAVPNetworkServices,Internet2

•  Internet2 in conjunction with MAX offers a cloud-based Distributed Denial of Service (DDoS) Mitigation Service provided by Zenedge/Oracle.

•  Subscribers to the service are able to direct attack traffic to Zenedge, and carry the clean traffic back to them on their existing Internet2/MAX connection.

Internet2 vDDoS Mitigation Service

CommodityInternet

Subscriber

Internet2Network

DivertedattacktrafficCommoditytrafficCleantrafficreturnpath

ScrubbingCenter

Protectingcommoditytraffic

Tenant

•  The Subscriber has access to an aggregated amount of ‘clean pipe” service (10G) to which the community has subscribed.

•  MAX has a commit rate of 1G of clean pipe capacity but is allowed to burst into the available capacity on the clean pipe (up to 10G)

•  Each Subscriber and Tenant will have access to Security Operations Center (SOC), a services portal and a direct connection via Internet2/MAX back to its edge.

Internet2 DDoS Mitigation Service

•  Provides coverage for commodity traffic and R&E traffic •  IPv4 and IPv6 •  Coverage of unlimited number of events

•  Traffic is returned via a vrf provisioned during service onboarding

•  Scrubbing is signaled via eBGP peering with provider SOC •  Provider will announce /24 (IPv4) subnet globally to draw traffic to

the scrubbing center and returned to connector/campus

[5]

Internet2 DDoS Mitigation Service

[ 6 ]

Cloud Access Services

CloudExchange CloudConnect

Useofthecommunity’sexisting800Gbps+oflayer3peeringcapabilitiestothemajorcloudprovidersforadvanced,communityenabledaccesstocloudservices.

EnablingtheInternet2&Regionalinfrastructurestooffer“direct-connect”privateLayer2andLayer3accesstoMicrosoft,AmazonandGooglecloudplatforms.

MAX

CLOUDEXCHANGEavailabletoRegionalmembers

today,atnoadditionalfee

•  Regionalprovidesitsmemberswithdirectaccesstoover15cloudserviceprovidersontheCloudExchange•  CloudExchangeallowsRegionalmemberstohavehighperformingon-netaccesstocloudserviceproviders,avoidingthecommodityinternet

andreducinglatency•  RegionalengineershavetheabilitytoreviewandoptimizememberconnectionstotheCloudExchange—alongtheentirepathtohelpmembers

makethemostoftheircloudconnections•  CloudExchangewasdesignedfromthegrounduptofocusonhostingcloudprovidersmostvaluedbytheResearch&Educationcommunity•  Member

MAX

MAX

Internet2 Cloud Access Request Workflow

End

Start: Need to access the cloud

using R&E Networks?

Answer: Utilize Internet2/Regional Cloud Exchange

Peering (TR-CPS)

Do you require access to multiple providers and/or

locations?

Answer: Consider Cloud Connect (Direct Connect)

to Cloud providers

Do you require a private network connection to

extend your data center in to the cloud using private

address space or your own public address

space?

Yes

No

No

YesEnd

End

Contact Internet2 or your regional about Cloud Connect Layer 2 and

Layer 3 features.

Contact Internet2 or your regional about point to point wave or layer 2

solutions to the cloud.[ 10 ]

RegionalNetwork

Internet2Backbone

MicrosoftAzure

MSAzure

Router 1

MSAzure

Router 1

Internet2ASHB 2

(rtr)

Internet2ASHB 1(sdn-sw)

Internet2Router

Internet2Router

Router

Router

Router

Router

CampusNetwork

CampusRouter

CampusRouter

AL2S CircuitsRegional Layer2

Circuits

*Whileend-to-endredundancyisshown,redundancyisonlymandatoryfortheinterconnectbetweenInternet2andMicrosoft.

Layer 2 – AL2S Circuit Option

[ 11 ]

RegionalNetwork

Internet2Backbone

MicrosoftAzure

MSAzure

Router 1

MSAzure

Router 1

Internet2ASHB 2

(rtr)

Internet2ASHB 1(sdn-sw)

Internet2Router

Internet2Router

Router

Router

Router

Router

CampusNetwork

CampusRouter

CampusRouter

Regional Layer2Circuits L3VPN

*Whileend-to-endredundancyisshown,redundancyisonlymandatoryfortheinterconnectbetweenInternet2andMicrosoft.

Layer 3 – MPLS L3VPN Option

[ 12 ]

RegionalNetwork

Internet2Backbone

MicrosoftAzure

MSAzure

Router 1

MSAzure

Router 1

Internet2Router

Internet2Router

Internet2Router

Internet2Router

Router

Router

Router

Router

CampusNetwork

CampusRouter

CampusRouter

Internet2Router

Internet2Router

Internet2Router

Internet2Router

Regional Layer2Circuits

Internet2L3VPN

OtherAzure

Region

MSAzure

Router 2

AmazonDirect

Connect

AWSRouter 1

MSAzure

Router 1AWS

Router 2

GoogleCloud

Platform

GCPRouter 2

GCPRouter 1

OtherCollaboratorsOther

CollaboratorsOtherCollaborators

Imagining Future Multi-cloud Community Use Case

[ 13 ]

Cloud Connect – Current Status

•  Microsoft:•  Access:

•  Available:Ashburn&Chicago•  NextSite:DallasJune‘18•  Future:WestCoast-BayAreaFall‘18

•  Membersconnected:•  OSHEAN–Layer2&Layer3•  GeorgiaTech–Layer3•  Vanderbilt–Layer2

•  Amazon:•  Access:

•  Available:Ashburn&Chicago•  NextSite:DallasJuly‘18•  Future:WestCoast–BayAreaFall‘18

•  Membersconnected:•  MCNC–workingtobringuppilotconnection•  UniversityofMichigan–workingtobringuppilot•  OSHEAN–workingwithBrownUniversity•  GeorgiaTech-workingtobringuppilotconnection

•  Google:•  Access:

•  Available:Chicago•  Ashburn,Dallas,BayAreaplanned

TBD

[ 14 ]