Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
DRAFT| [SECURITY CLASSIFICATION] | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
CLOUD GATEWAY
TECHNICAL GUIDE
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 2/20
WELCOME TO CLOUD GATEWAY
For sales, account set-up enquiries and technical support, contact your Telstra representative or choose from
our other support options.
You can access Cloud Gateway directly here or via Telstra’s Cloud Services Portal (either way, you’ll need
your login details).
CONVENTIONS USED IN THIS GUIDE The following typographical conventions are used in this guide for simplicity and readability:
Web addresses, email addresses and hyperlinks are shown in this colour in body text.
Button names and titles/features on your computer screen are shown in italics.
User input is shown in typewriter font.
Cloud Gateway Technical Guide – for customers outside Australia, Version 1.0
© Telstra Corporation Limited (ABN 33 051 775 556) 2016. All rights reserved.
This work is confidential to Telstra and copyright. Apart from any use as permitted under the Copyright Act 1968,
information contained within this guide cannot be used for any other purpose other than the purpose for which it was
released. No part of this guide may be reproduced, stored in a retrieval system, or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording or otherwise, without the written permission of Telstra
Corporation Limited.
Words mentioned in this guide that are known to be trademarks, whether registered or unregistered, have been
capitalised or use initial capitals.
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 3/20
TABLE OF CONTENTS
INTRODUCTION ............................................................................................................................................... 4
WHY TELSTRA? ........................................................................................................................................... 4
WHY CLOUD GATEWAY? ........................................................................................................................... 4
NETWORK CONNECTIVITY AND BANDWIDTH TIERS ............................................................................. 5
CLOUD SERVICE PROVIDERS AND LOCATIONS .................................................................................... 6
CLOUD GATEWAY CONNECTIONS ................................................................................................................ 7
AWS CLOUD GATEWAY CONNECTION .................................................................................................... 7
IBM SOFTLAYER CLOUD GATEWAY CONNECTION .............................................................................. 13
TECHNICAL SPECIFICATIONS ..................................................................................................................... 15
END-TO-END NETWORK ARCHITECTURE ............................................................................................. 15
BANDWIDTH MANAGEMENT .................................................................................................................... 16
SERVICE MODIFICATIONS ....................................................................................................................... 16
SECURITY .................................................................................................................................................. 17
IP ROUTING PROTOCOLS ........................................................................................................................ 17
SOURCE NETWORK ADDRESS TRANSLATION (SNAT) ........................................................................ 18
DESTINATION NETWORK ADDRESS TRANSLATION (DNAT) ............................................................... 18
SERVICE AVAILABILITY TARGET ............................................................................................................ 18
TECHNICAL SUPPORT .................................................................................................................................. 19
CUSTOMER REPORTING ......................................................................................................................... 19
CUSTOMER PORTALS .............................................................................................................................. 19
GLOSSARY ..................................................................................................................................................... 20
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 4/20
INTRODUCTION
WHY TELSTRA?
Telstra is your partner of choice for delivering secure and reliable access to the cloud. We provide:
National public cloud access for your locations/branches
Our Global IP VPN enables you to globally connect your locations and branches to compatible
public clouds.
Low latency and secure access to public clouds
Private connectivity between your Telstra IP network service (IP VPN) and public clouds – enabling
low latency, and secure access.
Access to a range of clouds through one connection
Flexibility of connecting to multiple cloud providers and sharing resources across them – enabling
smooth transition towards many cloud adoption strategies.
WHY CLOUD GATEWAY?
We’ll provide you with a simple one-stop solution for private, secure and reliable connectivity from your
Telstra IP network service into a range of cloud providers. You’ll be able to enjoy a seamless experience –
with a scalable and flexible approach.
Need to connect to multiple clouds, or adopt a hybrid cloud strategy? With this solution, it couldn’t be easier.
Simply choose your bandwidth allocation to individual cloud connections and then adjust them according to
your workloads – with plenty of room for future business growth.
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 5/20
A seamless end-to-end solution that includes:
Online portal for connection and management
For one or multiple cloud connections from your wide area network (using your Telstra IP network service).
Single point of contact for your Cloud Gateway service
For:
o Service provisioning and assurance
o Data carriage from your Telstra IP network service
o Cross connects in respective data centres
o Activation of direct connectivity
o Configuration and support
Connect to a range clouds
You can currently connect to Amazon Web Services® (AWS) and SoftLayer®.
Wide range of available bandwidth options
You can easily change allocation of bandwidth for individual cloud connections, as required.
Monthly (PAYG) or fixed term pricing options
Ask our team about discounts for once-off installs and monthly recurring charges.
Upfront deterministic charges
With unlimited usage of data volume options providing ease of budgeting and control of cloud spend.
Superior SLAs
High availability and geographical redundancy options (where supported by the cloud provider).
Consulting services available as an option
Our experts can help you establish and manage your cloud account. We can also design and implement customised routing. Contact your Telstra representative for more information.
NETWORK CONNECTIVITY AND BANDWIDTH TIERS
Cloud Gateway provides Layer 3 (IP VPN) connectivity from your wide area network. You’ll be able to
connect to cloud data centres available around the world for the same Cloud Gateway connection. Our
Global IP VPN is an international service – it offers high availability and excellent geo-redundancy.
You can choose from a range of bandwidth tiers from 10Mbps to 10Gbps to suit your requirements. This will
be your selected bandwidth tier for all clouds connected through your Cloud Gateway service.
BANDWIDTH TIERS*
LAYER 3 CLOUD
GATEWAY 10M 50M 100M 200M 300M 400M 500M 700M 1G 2G 3G 5G 7G 10G
*Aggregate bandwidth for all clouds connected through your Cloud Gateway service.
Your bandwidth tier and charges for Cloud Gateway are independent of location. Once you specify the
bandwidth tier for the gateway, you can then allocate that bandwidth across supported cloud providers in
either global locations.
Your bandwidth tier is specific to your provider for each cloud. You can group all your clouds purchased from
us into one tier – but you’ll need another separate tier for clouds purchased from other providers.
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 6/20
For example, if your chosen clouds are:
CLOUD BANDWIDTH PURCHASED FROM
AWS 100M AWS
You’ll need to purchase:
CLOUD GATEWAY BANDWIDTH TIER FOR
Telstra cloud bandwidth tier 200M Clouds purchased from Telstra
BYO cloud bandwidth tier 100M Clouds purchased from other compatible providers
CLOUD SERVICE PROVIDERS AND LOCATIONS
Cloud Gateway supports connectivity to the following cloud providers. You can buy these cloud provider
services through us or directly from the providers.
Your choice of bandwidth options for interconnection to individual cloud providers will depend on your
services or applications being used within that cloud environment. You’re responsible for determining the
right bandwidth option for your individual cloud services.
AWS
US East (N. Virginia)
US West (N. California)
EU (Ireland)
Asia Pacific (Singapore)
Note: once your network is connected via the AWS Direct Connect service, you’ll have access to services in all availability within the geographical region.
SoftLayer
Singapore
UK
Hong Kong
New York
More to come…
Over time, we’ll add more data centres for existing cloud service providers – along with new cloud service
providers.
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 7/20
CLOUD GATEWAY CONNECTIONS
AWS CLOUD GATEWAY CONNECTION
Your Cloud Gateway connection for AWS, provides you with direct connections to AWS using your Telstra IP
network service. In addition, Cloud Gateway routers will also peer with AWS devices on your behalf – using
the AWS Direct Connect Network Service Provider model.
How a direct AWS connection works
Your services hosted in AWS will be available to your users as follows:
You can configure public, private (or both) peering options depending on the AWS services you use.
Note: public and private peering services are discrete services from AWS and connections from Cloud
Gateway need to be established separately.
AWS connection via private peering
An example of a private AWS service is Elastic Cloud Computing (EC2) – also known as virtual private
interface. In this service, you’ll provide two lots of /28 subnet blocks. Each /28 block is then used to provide
addresses for the peering interfaces.
This diagram shows the private connection model:
AWS Private Services (e.g.
EC2)
Telstra IP
network
service (IP
VPN)
Cloud Gateway AWS Direct
Connect Sydney Equinix
AWS availability zone
PRIVATE
PRIVATE
802.1Q Trunk
802.1Q Trunk
AWS
AWS
Your site
AWS Direct Connect Devices Cloud Gateway
Edge Routers
Telstra’s Cloud
Gateway service AWS
High availability
connections
Telstra IP
network service
(IP VPN)
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 8/20
For this service, you’ll need:
A Telstra IP network service must be in place with an allocated and known Master Service ID.
Any sites you wish to use with Cloud Gateway must be connected to your Telstra IP network
service.
An AWS Direct Connect purchased and established by you.
One /28 network for interconnect addressing. This is subnetted into five blocks of IPv4 addresses
and must be unique across your sites; IP VPN and AWS service for AWS Private Service. Public or
private IP addressing can be used to establish private peering, but typically you should provide
private IP addressing for a Virtual Private Interface (VPI).
No Border Gateway Protocol (BGP) Autonomous System Number (ASN) is required from you for
peering with AWS as we’re providing a Cloud Gateway connection and will use public ASN 135599.
Once provisioned, any sites must have routing configuration enabled to receive routing information
about AWS IP subnets.
Key steps and responsibilities:
# STAGE ACTIVITY RESPONSIBILITY
1 Prerequisite Established AWS tenancy with Cloud Gateway connection Customer
2 Prerequisite Provide /28 IP subnet block for interconnect subnets Customer
3 Prerequisite Provide Global IP MSID and account ID Customer
4 Prerequisite Choose route summarisation mechanism Customer
5 Prerequisite Design Virtual Private Cloud (VPC) addressing scheme Customer
6 Prerequisite Complete the online Cloud Gateway order form Customer
7 Set-up Provision of Cloud Gateway connection Telstra
8 Set-up Send email with instructions to complete connection at AWS portal
Telstra
9 Post set-up Configure Virtual Private Gateway (VPG) Customer
10 Post set-up Configure VPC Customer
11 Post set-up Link the VPG to the VPC Customer
12 Post set-up Test end-to-end connectivity from a Telstra IP network service to AWS
Customer
Example:
PRIVATE
PRIVATE
PRIVATE
PRIVATE
192.168.1.1 / 32 192.168.1.2 / 32
192.168.1.3 / 32 192.168.1.4 / 32
VLAN-22
VLAN-22
Telstra Cloud
Gateway Amazon AWS
Direct Connect
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 9/20
Rules and limitations:
Private peering may use either private or public IPv4 addresses, which you’re to provide.
Each BGP peer has a limit of 100 routing entries (e.g.100 entries for the private peering). Do you
have more than 100 different routes in your network? The ‘types of route summarisation’ table below
provides route summarisation options.
Identical routes will be advertised to AWS on both the primary and standby paths.
As BGP is utilised between the cloud edge and AWS, BGP outputs will show prefixes with the follow
ASNs in the AS path: 4637, 135599 and AWS’ ASNs. If existing networks running BGP are using
these ASNs, routes may not be accepted without additional configuration.
Route summarisation:
AWS routing tables have a 100 route limit per VPC, as documented by AWS at
http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
To give you the ability to limit the number of routes advertised into your VPC on your virtual private
interface, we give you the following options when provisioning your Cloud Gateway service:
TYPES OF ROUTE SUMMARISATION
RFC1918
(WITH PUBLIC IP ADDRESSES)
Telstra’s Global IP VPN RFC1918 route summarisation: summarises all private routes into three summary routes as follows: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
Routes that don’t fall into these ranges are not summarised and will be advertised into your VPC without change. If you have more than 97 non-RFC 1918 VPN routes, then BGP peering will not establish to your AWS VPC. This limit is imposed by AWS.
You’re free to use RFC 1918 address space inside your Amazon VPC. RFC 1918. Route summarisation is only performed in the outbound direction (from your Telstra IP network service in the direction of your AWS cloud services). Subsets of these RFC1918 ranges can still be configured in AWS and advertised into your Telstra IP network service.
This is the default configuration we recommend for establishing BGP peering to your AWS VPC (if you primarily use RFC1918 addressing within your Telstra IP network service).
Choosing this option will also suppress the default route (0.0.0.0/0) from being advertised from your Telstra IP network service to your AWS cloud services. This will allow you to use the AWS internet gateway for internet bound traffic from your AWS cloud services while also routing traffic destined for your Telstra IP network service via your AWS VPI.
If you wish to advertise a default route (0.0.0.0/0) from your Telstra IP network service into your AWS cloud services, then it’s best to choose ‘default route summarisation’
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 10/20
TYPES OF ROUTE SUMMARISATION
RFC1918
(NO PUBLIC IP ADDRESSES)
Similar to above option except that public IP routes are not advertised through the peering. This is applicable for customers who have large numbers of both public and private routes in their BGP routing table.
Summarises all 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 routes into three summary routes.
DEFAULT ROUTE SUMMARISATION
Default route summarisation: only advertises a default route from your Telstra IP network service to your AWS VPC, so all traffic from your VPC will be routed back into your VPN.
Please refer to documentation on AWS’ route tables if you intend on using the AWS internet gateway in conjunction with this option.
NO ROUTE SUMMARISATION
No route summarisation is performed and all routes from your VPN will be advertised into your VPC. Only choose this if you’re sure that there are less than 100 routes in your VPN.
AWS connection via public peering
The public and private services are discrete connections that need to be configured separately. An example
of a public AWS service is Simple Storage Service (S3) (also known as a VPI). In this service, you’ll provide
a single /28 IP subnet block. This block is then divided to provide addresses for the interconnect subnets.
This diagram shows the public connection model:
AWS Public Services (e.g. S3) Telstra IP
network
service (IP
VPN)
Telstra Cloud Gateway AWS Direct
Connect Sydney Equinix
AWS Availability Zone
PUBLIC
PUBLIC
802.1Q Trunk
802.1Q Trunk
AWS
AWS
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 11/20
For this service, you’ll need:
A Telstra IP network service (IP VPN) must be in place with an allocated and known Master Service
ID.
Any sites you wish to use with Cloud Gateway must be connected to the Telstra IP network service.
One /28 network for interconnect addressing. This is subnetted into five blocks of IPv4 addresses
and must be unique across your sites; IP VPN and AWS service for AWS Private Service. Public
addressing must be used to establish a public peering.
One /30 network for transit traffic. Smaller masks will be accepted if you have larger public address
ranges that you want to advertise to AWS. This prefix (or prefixes) is advertised through the BGP
session to AWS. All customer traffic must be sourced from this range. You cannot send traffic
sourced from private IP addresses to your AWS VPI. In practice this means that traffic to an AWS
VPmust either originate from a device with a public IP address, or be SNAT to a public IP address
by you within your Telstra IP network service.
No BGP ASN is required from you for peering with AWS, as we’re providing a Cloud Gateway
connection and will use public ASN 135599.
Once provisioned, any sites must have routing configuration enabled to receive routing information
about AWS IP subnets.
Key steps and responsibilities:
# STAGE ACTIVITY RESPONSIBILITY
1 Prerequisite Established AWS tenancy with Cloud Gateway connection Customer
2 Prerequisite Provide /28 IP subnet block for interconnect subnets Customer
3 Prerequisite Provide Global IP MSID and account ID Customer
5 Prerequisite Network design for SNAT of AWS traffic Customer
6 Prerequisite Design VPC addressing scheme Customer
7 Prerequisite Complete the online Cloud Gateway order form Customer
8 Set-up Provision of AWS peering Telstra
9 Set-up Email to the customer containing SNAT IPs configuration instructions for AWS portal
Telstra
10 Post set-up Perform customer side SNAT configuration Customer
11 Post set-up Configure connection at AWS portal Customer
12 Post set-up Test end-to-end connectivity from IP VPN to AWS Customer
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 12/20
Example:
Rules and limitations:
Public peering requires public IPv4 addresses, which must be provided by you.
Each BGP peer has a limit of 100 routing entries (e.g. 100 entries for the public peering).
For public peering, only the specific public prefixes provided in the cloud portal are advertised to
AWS.
For the public peering, the minimum acceptable subnet mask is /30 for advertised networks (in other
words, a /31 or higher mask will not be accepted by AWS).
In order to minimise the number of entries advertised, you can summarise contiguous block of
addresses – thus, two contiguous blocks of /28 could be super-netted to become one /27 and so on
within your Telstra IP network service, to reduce the number of prefixes in the table.
Identical routes will be advertised to AWS on both the primary and standby paths.
As BGP is utilised between the cloud edge and AWS, BGP outputs will show prefixes with the follow
ASNs in the AS path: 4637, 135599 and AWS’ ASNs. If existing networks running BGP are using
these ASNs, routes may not be accepted without additional configuration.
PUBLIC
PUBLIC
PUBLIC
PUBLIC
203.1.1.1 / 32 203.1.1.2 / 32
203.1.1.3 / 32 203.1.1.4 / 32
VLAN-11
VLAN-11
Telstra Cloud
Gateway Amazon AWS
Direct Connect
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 13/20
IBM SOFTLAYER CLOUD GATEWAY CONNECTION
Your Cloud Gateway service will provide you with direct connections to SoftLayer data centres using the
network service provider connection model. The connection method in use is via the SoftLayer cloud
exchange service. This allows connection into the SoftLayer services and your Telstra IP network service at
any of their global data centres.
For this service, you’ll need:
Telstra IP network service must be in place with an allocated and known Master Service ID.
Any sites you wish to use with Cloud Gateway must be connected to our Global IP VPN.
A SoftLayer account.
One /28 network for interconnect addressing. This is subnetted into five blocks of IPv4 addresses
and must be unique across your sites; IP VPN and Softlayer service. Public or private IP addressing
can be used, but typically you should provide private IP addressing.
No BGP ASN is required from you for peering with SoftLayer, as we’re providing a cloud exchange
service connection and will use public ASN 135599.
Key steps and responsibilities:
# STAGE ACTIVITY RESPONSIBILITY
1 Prerequisite Established SoftLayer tenancy with Direct Connect Customer
2 Prerequisite Provide Global IP VPN Master Service ID Customer
3 Prerequisite Network design and analysis regarding SoftLayer restricted private IP ranges
Customer
4 Prerequisite Provide /28 IP subnet block for interconnect subnets Customer
5 Prerequisite Configure SoftLayer tenancy Customer
6 Prerequisite Complete online Cloud Gateway order form Customer
7 Set-up Provision of Cloud Gateway connection – Telstra Edge Telstra
8 Set-up Send an email with next steps to the customer Telstra
9 Set-up Order a Direct Link from SoftLayer portal Customer
10 Set-up Provision of direct link connection SoftLayer
11 Set-up Send ‘connection ready’ email SoftLayer
12 Post set-up Test end-to-end connectivity from our Global IP VPN to SoftLayer
Customer
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 14/20
Rules and limitations:
Once provisioned, depending on the network subnets added at either side of the connection, routes
may need to be added to individual servers and VMs in SoftLayer.
SoftLayer reserve several IP ranges for their own use – therefore if your Telstra IP network service
ranges overlap with these restricted ranges, it will not be possible to route these across the
SoftLayer Cloud Exchange connection. These ranges are:
o 10.0.0.0/14
o 10.200.0.0/14
o 10.198.0.0/15
o 169.254.0.0/16
o 224.0.0.0/4
Any IP ranges assigned to your VLAN’s on the SoftLayer platform
SoftLayer prescribes the IP addressing of your private networks within your environment. These
private subnets will be somewhere in the 10.0.0.0/8 range but not in the above-mentioned restricted
range. Therefore, if a prescribed IBM SoftLayer private network overlaps with a Telstra IP network
service that needs to be accessed – this will not be routed across the SoftLayer Cloud Exchange
connection either. It’s possible to request a different subnet for a private network from SoftLayer via
an ad-hoc ticket request to try and alleviate the conflict. Currently, there are two possible work-
arounds for this restriction:
o Re-addressing – either in your Telstra IP network service or requesting SoftLayer for new
address ranges for any prescribed private network allocated.
o Network Address Translation (NAT) / tunnel – a solution offered by SoftLayer is to use
the network appliance, Vyatta – available in the SoftLayer product catalogue, to create
network tunnels and/or NAT to overcome conflicts. This is treated as your designed and
owned solution – and not part of the Telstra’s Cloud Gateway service.
Bandwidth controls are not currently implemented from IBM or IBM SoftLayer. The policing of the
connection is only performed on the Telstra’s Cloud Gateway routers.
SoftLayer shared services such as DNS, update servers, iSCSI/NAS/object storage, backup servers,
anti-virus services (etc) are not available to be accessed from the SoftLayer cloud exchange service
in your Cloud Gateway service.
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 15/20
TECHNICAL SPECIFICATIONS
END-TO-END NETWORK ARCHITECTURE
Telstra IP network service customers with Cloud Gateway will have their IP VPN extended to a Telstra cloud edge router and connected to one or more cloud service providers. Connected cloud service providers will appear as another site/node on their IP VPN.
This diagram shows connections to currently available cloud providers through Cloud Gateway:
Cloud connections are built and configured as fully redundant from a Telstra IP network service to supported
cloud provider network edges. Multiple high capacity (Nx10G) links are configured as active/backup – so any
router or link failure along the path triggers failover without impacting cloud connectivity.
As part of the service, tails are provided to redundant POPs and both paths are routed through separate
hardware/physical links within Cloud Gateway infrastructure. Geographical separation is maintained from
Telstra IP network service PoPs all the way up to cross-links at respective cloud data centres. The service
will withstand failure of any single router or single link in the path.
In the case of complete failure of a cloud data centre, redundancy can only be provided if you have tenancy
and links to both data centres for the same cloud provider.
High availability for end-to-end service will be determined by connectivity of your sites to a Telstra IP network
service (protected or unprotected) and networking infrastructure within respective cloud providers. Load
balancing across active/backup links isn’t available.
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 16/20
BANDWIDTH MANAGEMENT
We manage the capacity of links between Cloud Gateway and cloud edge routers to help ensure available
bandwidth is sufficient for peak utilisation of all the configured connections. A bandwidth policer is applied
corresponding to the subscribed rate. All traffic is treated equally and any traffic exceeding the subscribed
bandwidth is dropped.
SERVICE MODIFICATIONS
Cloud Gateway supports multiple changes (what we calle ‘moves, adds and changes’, or ‘MACs’) for Cloud
Gateway attributes as well as individual cloud connections.
Please bear in mind that there’ll be a lead-time to process these requests and some changes may cause an
outage to your existing cloud connection as outlined in the table below. You’ll need to ensure you complete
cloud provider portal configuration in a timely manner so we can complete this modification within the target
time.
To manage such outages, please speak with your Telstra representative before requesting these changes.
CHANGE TYPE DESCRIPTION
AVAILABILITY AND OUTAGE IMPACT
AWS SoftLayer
BANDWIDTH UPGRADE
You’re able to upgrade your bandwidth within the available bandwidth tiers. Upgrading bandwidth will not incur modification or early termination fees.
If you exceed the Cloud Gateway bandwidth, due to an increase in individual cloud connection, we’ll ask you to upgrade to the next Cloud Gateway tier.
If you have a fixed-term contract, you’ll have your contract term restarted at the new (higher) bandwidth.
1 hour (customer
dependent)
No outage
BANDWIDTH DOWNGRADE
You’re able downgrade your bandwidth within the available bandwidth tiers. This change will incur a one-off modification charge. If you have a fixed-term contract, early termination charges will also apply.
1 hour (customer
dependent)
No outage
ROUTE SUMMARISATI
ON / FILTERING
Only applicable for AWS 1 hour (customer
dependent)
NA
DEFAULT ROUTE
SUPPRESSION
Only available for SoftLayer.
NA
NA
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 17/20
SECURITY
Connectivity through Cloud Gateway is more secure than many other options, because it provides end-to-
end separation for each customer’s traffic.
Each Cloud Gateway service is mapped to your unique VPN Routing and Forwarding (VRF) instance –
thereby ensuring Layer 3 separation, while connectivity to cloud edge is carried inside a customer-specific
802.1Q VLAN set up ensuring Layer 2 separation for your traffic.
IP ROUTING PROTOCOLS
We use BGP routing to interconnect with cloud edge routers.
CLOUD PROVIDER SUPPORTED IP ROUTING
AWS
eBGP
SoftLayer
eBGP
Cloud Gateway edge routers peer with the cloud provider edge devices on behalf of the customers using
BGP. As a result, the following BGP ASNs cannot be used by you, in your Telstra IP network service.
Furthermore, these ASNs will also be visible within your Telstra IP network service routing table.
The eBGP between the two autonomous systems is configured as active-active. The eBGP protocol will then
pick the primary and secondary paths between the two peers.
NETWORK PEERING POINT ASN
Cloud Gateway Global 135599
Telstra’s Global IP VPN Global 4637
AWS Private / public peering Dublin (EU-West-1): 9059
Tokyo (AP-NorthEast-1): 10124
Singapore (AP-SouthEast-1): 17493
Other regions: 7224
SoftLayer Global 12076
Note: you must not use any of the above AS numbers in your own Telstra IP network service.
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 18/20
SOURCE NETWORK ADDRESS TRANSLATION (SNAT)
If you’re using private IP addressing (RFC1918) and wish to establish AWS public peering, network address
translation has to be applied for source address(es). Such SNAT can be implemented at your sites before
using our global IP VPN.
SNAT at customer site.
You’re responsible for carrying out your own SNAT for public peering traffic. You can configure NAT feature
at your Customer Edge routers. The diagram below shows the location of NAT function within end-to-end
cloud connection.
DESTINATION NETWORK ADDRESS TRANSLATION (DNAT)
DNAT may be needed if you use private RFC1918 addresses in your network and servers in the public cloud
networks need to access these private-addressed devices.
If you require DNAT, it has to be implemented it on your own CE routers and advertise this pool of prefixes to
our Global IP VPN and Cloud Gateway. These prefixes are then advertised to the cloud provider by Cloud
Gateway.
SERVICE AVAILABILITY TARGET
Cloud connections are built and configured as fully redundant from the our Global IP VPN to supported cloud
provider network edges. Multiple high capacity (Nx10G) links are configured as active/backup, any router or
link failure along the path triggers failover without impact to cloud connectivity. Your sites can be protected or
unprotected, determining high availability for end-to-end service.
CLOUD CONNECTION TYPE SERVICE AVAILABILITY
TARGET
Cloud Gateway (Layer 3 / Global IP VPN connectivity)
Available for AWS and SoftLayer 99.99%
Telstra access
network Telstra IP
network service
Cloud Gateway
Fibre-optics Cloud service provider
public peering
Your site
Network address Translation
Private IP Addresses
Public IP Address
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 19/20
TECHNICAL SUPPORT
Telstra’s Cloud Gateway service provides you with four comprehensive levels of support to resolve any
issues that may occur during ordering, provisioning or ongoing operations with your service.
In an unlikely event of service issues or an outage, you can log your fault with Cloud Service support team
with following target SLAs:
CLOUD GATEWAY CONNECTIVITY OPTION
SERVICE LEVEL
COVERAGE HOURS
RESPONSE TIME TARGET
RESTORE TIME TARGET
Cloud Gateway with Global IP VPN Business Plus
24 x 7 60 min 12 hours
CUSTOMER REPORTING
Customer reporting for Telstra’s Cloud Gateway service isn’t available for the initial release.
CUSTOMER PORTALS
Telstra’s Cloud Gateway service provides access to a range of online tools and portals for you to browse,
buy/activate, manage and access support for the product.
BROWSE/QUOTE
Telstra website www.telstraglobal.com/cloudgateway
BUY/ACTIVATE
Telstra Cloud Store buycloud.telstra.com
CONFIGURE/MANAGE
Telstra Cloud Portal mycloud.telstra.com
Faults can be logged by:
Raise a Cloud Gateway support ticket. You’ll also find the support ticket link on the support page of the Cloud Services Portal.
Calling 800 7965 5888 with the relevant international access code from your country.
We're available 24/7.
SUPPORT
All Telstra portals support IE8.0 and above, Google Chrome and Firefox.
You can also refer to respective Cloud Service provider portals (e.g. AWS, SoftLayer) to configure/manage
your networking within the cloud environment.
TELSTRA RESTRICTED | CLOUD GATEWAY TECHICAL GUIDEDRAFT TELSTRA CONFIDENTIAL | | CLOUD GATEWAY TECHNICAL GUIDE INTERNATIONAL
PAGE 20/20
GLOSSARY
TERM DEFINITION
ASN Autonomous System Number
AWS Amazon Web Services
BGP Border Gateway Protocol
eBGP External Border Gateway Protocol
iBGP Internal border gateway protocol
BYO Bring your own (e.g. not purchased from Telstra)
ETC Early termination charges
HSRP Hot Standby Routing Protocol
I/C Interconnect
IP VPN IP Virtual Private Network (e.g. Telstra IP MAN and IP WAN services)
MAC Moves, adds and changes (e.g. modification to your service or product)
SNAT Source Network Address Translation
VLAN Virtual Local Area Network
VM Virtual machine (virtual server)
VRRP Virtual Router Redundancy Protocol