Deploy IP Connect with Advanced Network Services

IP Connect with Advanced Network Services (Layer 3) provides redundant Internet connectivity to CXDCXD - Our platform that delivers the industry’s only programmable, software-defined intra-data center network. This scalable fabric enables customers to seamlessly extend existing VLANs to connect within our facilities, across a metro region, to cloud on-ramps, and our ecosystem of providers. It is also how we can provision and connect dedicated infrastructure on-demand, from cabinets to bare metal servers and HCI nodes, all pre-configured, easy to deploy and scale via the CXD Command Center or our API. customers with additional network capabilities including NAT, VPN, and basic routing. It can be ordered and configured on demand from the CXD Command Center and the configuration of network capabilities can be changed any time.

Requirements

  • Either a fully configured CXDCXD - Our platform that delivers the industry’s only programmable, software-defined intra-data center network. This scalable fabric enables customers to seamlessly extend existing VLANs to connect within our facilities, across a metro region, to cloud on-ramps, and our ecosystem of providers. It is also how we can provision and connect dedicated infrastructure on-demand, from cabinets to bare metal servers and HCI nodes, all pre-configured, easy to deploy and scale via the CXD Command Center or our API. or a CXD Enterprise Bare Metal compute deployment.
  • CXD Virtual Networks to provide private networking.
  • Private IPv4 subnets for each CXD Virtual Network.

Steps

Provision an IP Connect + Advanced Network Services instance.

  • Log in to the CXD Command Center - https://cxd.cyxtera.com using your Customer Console credentials.
  • Select the BAN and metro region where you wish to create the IP Connect Instance.
  • At the top of the screen, select 'New IP Connect.'
  • Select 'IP Connect + Advanced Network Services.'

Complete the 'General' details screen.

  1. Name - A friendly name for this IP Connect instance.
  2. Rate Limit - This is the maximum throughput of the IP Connect instance. Higher speeds are billed at a higher rate.
  3. Burstable / Fixed - Burstable connections can exceed the Rate Limit and will be billed at a higher rate. Billing for Burstable connections is based on 95th percentile for the month. Fixed connections will not exceed the Rate Limit, so no additional bandwidth charges will be billed beyond the base price.
  4. Click 'Next.'

Complete the 'Networks' details screen.

Networks are connected to the IP Connect instance and by default have access to the internet via Source NAT (SNAT). Optionally, you may enable routing between networks if more than one network is configured. Currently there is no firewall capability between networks.

  1. Virtual Network - Select an existing CXD Virtual Network from the dropdown. If you don't have any networks, they can also be created in Command Center.
  2. Address - The private network that will be used with this Virtual Network, i.e. 10.100.100.0. The first three addresses in each network will be used by Cyxtera. The first address will be the default gateway for the network.
  3. Network Size - The subnet size of the private network, i.e. /24.
  4. Click 'Add.'
  5. Repeat as needed to add all desired networks to the IP Connect instance.

Complete the 'DNAT' details screen (Optional).

Destination NATs (DNAT) allow traffic in to your private networks from the Internet. This traffic is filtered by port, protocol and source address.

  1. Click 'Add New DNAT Configuration.'
    1. DNAT Network / Virtual Network - Select one of the Virtual Networks you added on the previous screen. This would be the virtual network that is hosting the application you would like to expose via DNAT.
    2. DNAT Network / Address - The IP Address of the host that is running the application you are exposing via DNAT.
    3. Port Type - The port type(s) you would like to expose via DNAT. You may select more than one port type, i.e. HTTP and HTTPS. For SSH access, you should specify port 22. For access through BMC web GUIs, specify port 443.
    4. Address Sources / Network Address (Optional) - You may filter the source address to a specific public network for additional security. Leaving this blank will allow all traffic.
    5. Address Sources / Network Size (Optional) - The network size of the source network, i.e. /24.
    6. Additional Public IPs - For DNAT a public subnet will be allocated to you. You may select between 8 and 4096 usable public IPs. Note that there is a charge for public IP addresses.
  2. Add all required Destination NATs and then click 'Next.'

Post-Deployment

Once deployment has completed, you may view the details of the instance by clicking the instance name and 'View'

This is where you can retrieve the information needed to complete IPSEC configuration on the customer premise side. You will need to configure your IPSEC tunnel to connect to the 'Cyxtera Primary Routing Device' IP address. For redundancy, it is recommended that you configure a backup connection to the 'Cyxtera Secondary Routing Device' IP address.

Additionally, you can edit the instance to change settings and add/remove public IPs and configure IPSEC tunnels.

Complete the 'IPSEC' details screen (Optional)

IPSEC is used to configure a LAN-to-LAN VPN connection in to your CXD environment. Cyxtera uses a 'routed' configuration for IPSEC to simplify managing many networks on either side of the tunnel.

NOTE: Only a single tunnel per ANS instance is supported at this time. Cyxtera is working to support additional tunnels in a future release of ANS.

IKE (Phase 1) is what sets the parameters that are used to setup the initial phase of a VPN tunnel. Phase 2 can not authenticate without Phase 1 tunnel establishment.

  • IKE Authentication Algorithm is the algorithm selected to setup phase 1.  Both sides of the tunnel must be set at the same value.
  • IKE Encryption Algorithms is the algorithm used to encrypt the phase 2 setup.  Both sides or the tunnel must be set at the same value.
  • Pre-Shared Key – This is the passcode used to authentication the VPN connections between ANS and customer VPN gateway.  This key must be exactly the same on both VPN peers. It is case sensitive. Since this only gets entered once on each side and there is no need to remember it, it is better to make this as complex as possible.

IPSEC (Phase 2) is what sets the parameters for traffic encryption, and defines what traffic will use the tunnel and how.

  • IPSec Authentication Algorithm - Authentication Algorithm used to authentication IPSEC setup.  Both sides of the tunnel must be defined.
  • IPsec Encryption Algorithm - IPSEC encryption algorithm that is used to encrypt the data that need to be protected.

Procedure:

  1. Click an existing IP Connect with ANS instance and select 'Edit.'
  2. Click 'IPSEC.'
  3. Click 'Add New IPSEC.'
  4. Name - A friendly name for this IPSEC connection.
  5. Peer Endpoint - The public IP address of the VPN peer.
  6. IKE Authentication
    1. IKE Hash -  Internet Key Exchange Hash Algorithm
    2. IKE Algorithm - Internet Key Exchange Encryption Algorithm
    3. IKE Group -Diffie-Hellman Group
    4. Pre-Shared Key - Enter a pre-shared key. This will be the same key for both sides of the connection.
  7. IPSEC Authentication
    1. IPSEC Hash - IPSEC Hash Algorithm
    2. IPSEC Algorithm - IPSEC Encryption Algorithm 
    3. IPSEC Mode - Encryption Mode (CBC or GCM)
    4. IPSEC Group - Diffie-Hellman Group
  8. Tunnel IP
    1. Network Address - The subnet to be used as the VPN routing network between locations.
    2. Network Size - The subnet size of the tunnel network, i.e. /30
    3. Tunnel Local IP - The IP address to be used on the CXD side of the VPN tunnel.
    4. Tunnel Remote IP - The IP address to be used on the customer premise side of the VPN tunnel.
  9. Remote Networks
    1. Network Address - The address of the remote network that should be accessible from CXD to the other location.
    2. Network Size - The subnet size of the remote network, i.e. /24.
    3. Click 'Add' - Repeat as needed for all remote networks.
    4. Click 'Save' when all remote networks have been added
  10. Click 'Next.'

Finalize your deployment by clicking 'Purchase.' Configuration should complete in a few minutes.

Example Screenshots

Figure 1: Name and Speed ConfigurationFigure 1: Name and Speed Configuration

Figure 1: Name and Speed Configuration

Figure 2: Virtual Network ConfigurationFigure 2: Virtual Network Configuration

Figure 2: Virtual Network Configuration

Figure 3: Destination NAT ConfigurationFigure 3: Destination NAT Configuration

Figure 3: Destination NAT Configuration

Figure 4: IPSEC ConfigurationFigure 4: IPSEC Configuration

Figure 4: IPSEC Configuration

Vendor Documentation

ANS uses a route-based IPSEC implementation. Please refer to your security vendor documentation on how to configure your device for route-based IPSEC VPNs.

Fortinet - https://docs.fortinet.com/document/fortigate/6.0.0/handbook/255040/ipsec-vpn-overview

Cisco - https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

pfSense - https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html

Juniper - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-route-based-ipsec-vpns.html

Palo Alton - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/vpns/site-to-site-vpn-quick-configs/site-to-site-vpn-with-static-routing.html#id12184b17-432a-41cf-b10c-67eca32b4bb6