When moving IT infrastructure into a cloud platform and remote data centers, it is vital to set up reliable channels that connect the cloud to the client. Many vendors post ads claiming that they provide «a physical dedicated channel», «fiber optics», an «L2 channel», a «VPN» etc. Let us have a look at what this really means
Physical & virtual channels
1. Setting up a physical line or a layer 2 channel commonly refers to a service when a provider offers either a dedicated cable (made of copper or fiber optics) or a radio channel between the offices and the spaces where data centers’ hardware is deployed. When you opt for this service, what you typically get is a dedicated fiber optics channel for rent.
The benefit of this solution is that the provider is responsible for the reliability of the connection. If the cable is broken, the provider has to restore its functioning. However, a cable consists of multiple parts welded to each other, which makes it slightly less reliable. Along the cable routing, the provider needs to use amplifiers and splitters, as well as routers in the end points.
Marketing materials refer to this type of solution as the L2 (Data-Link) OSI network model or TCP/IP. It enables operation on the level of switching Ethernet frames into LAN without the issues of packet routing on the IP network level. For example, there is an option to go on using your own private IP addresses in the virtual networks instead of registered unique public addresses. Since it’s very convenient to use private IP addresses in local networks, special ranges from the basic address classes were allocated for users:
- 10.0.0.0 – 10.255.255.255 in A class (with a 255.0.0.0 or /8 mask);
- 100.64.0.0 – 100.127.255.255 in A class (with a 255.192.0.0 or /10 mask);
- 172.16.0.0 – 172.31.255.255 in B class (with a 255.240.0.0 or /12 mask);
- 192.168.0.0 – 192.168.255.255 in C class (with a 255.255.0.0 or /16 mask).
Users choose such addresses on their own for internal usage, which is why these addresses can be used many times in thousands of client networks. Data packets with private addresses in the header are not routed on the Internet to avoid confusion. To connect to the Internet, a user has to utilize NAT or a similar solution.
Note: NAT – Network Address Translation, is a method of remapping one IP address space into another by modifying network address information in the IP header of transit packets to route packets from the client’s local network to other networks or the Internet and vice versa – into the client’s LAN to the recipient.
This dedicated channel approach has a disadvantage – if a client moves to another office, there might be connection issues in the new one, and the client might have to switch to another provider.
The claims that such channels are more protected against hackers or less susceptible to vulnerabilities if an engineer makes a mistake are unfounded. Our experience shows that security issues typically arise (or are introduced by a hacker on purpose) on the client's side due to human error.
2. Virtual channels and VPNs (Virtual Private Networks) based on those are very popular and address multiple challenges faced by clients.
When a company provides L2 VPN, there is a number of L2 services to choose from:
VLAN – the client gets a virtual network between their offices (in reality, the client’s traffic is handled by the provider’s active equipment, which limits the speed);
PWE3, point-to-point connection or, in other words, an emulation of a point-to-point connection over a packet-switching network. This enables transferring Ethernet frames between two nodes in such a way as if they were wired to each other. What matters for the client is that all transferred frames are delivered to a remote node unaltered. The same is true for a vice versa transfer. It all became possible because when the client’s frame gets to the provider’s router, it is then encapsulated (added) to an upper-level data block (MPLS packet) and extracted at the end point;
Note: PWE3 – Pseudo-Wire Emulation Edge to Edge, is a mechanism that, from the user’s standpoint, gives a dedicated connection.
VPLS is the technology that emulates a local network with multipoint to multipoint connections. In that case, from a client’s standpoint, the provider’s network looks like a switch storing a table of the network devices’ MAC addresses. This virtual switch directs an Ethernet frame coming from the client’s network to the right destination, which means that this frame is encapsulated into an MPLS packet and is then extracted.
MPLS – MultiProtocol Label Switching is a type of data transfer technology where data are directed from one network node to the next one based on short path transport/service labels rather than long network addresses regardless of the transmission medium and protocol. New labels can be added if necessary during the routing process, or removed if their function has been completed. The content of packets is not reviewed and is not changed.
3. When an L3 VPN is deployed, the client sees the provider’s network as a single router with multiple interfaces. That’s why the client’s local network meets the provider’s network at the L3 of the OSI or TCP/IP network model.
Public IP addresses for the network joints can be agreed upon with the provider (and can belong either to a client or to a provider). The client sets up the IP addresses at their routers on both sides (private ones for the local network and public ones for the provider), and the provider handles the process of routing data packets. From the technology prospective, MPLS is used for this solution (see above) along with GRE and IPSec.
Note: GRE – Generic Routing Encapsulation, a tunneling protocol for packaging network packets that enables establishing a secure logic point-to-point connection using protocol encapsulation on L3. IPSec – IP Security, a network security protocol suite that applies to the data transferred over IP and uses packet authentication, encryption and integrity check mechanisms.
It is important to note that modern network infrastructure is designed in such a way that a client only sees a part of it stipulated in the agreement. Dedicated resources (virtual servers, routers, operational data and backup storages) along with operating programs and memory content are completely isolated from other users. Multiple physical servers can work simultaneously and consistently for one client, and the latter will see them as one powerful pool of servers. It works vice versa, too: one physical server can host multiple virtual machines, and each of those will be like a separate computer with its own operating system for each particular user. There are also custom solutions available that comply with the applicable client’s requirements towards safe data processing and storage.
In addition, the configuration of an L3 cloud network can be scaled up to almost any size (which is the way Internet and large data centers are designed). Dynamic routing protocols, e.g. OSPF, and others operating in L3 cloud network enable choosing the shortest routes for data packets and sending packets in multiple routes simultaneously to optimize the load and to extend the capacity of the channels.
In the meantime, a virtual network can be deployed on L2, which is typical for small data centers and legacy (or very specific) clients’ applications. In some cases, an L2 over L3 technology is used to facilitate network compatibility and application operation capacity.