Network Access Options for Connecting to Tier 3’s Platform

The following document is intended to be a basic overview of the possible network connectivity options for connecting to Tier 3’s cloud platform. In summary, Tier 3’s customers can leverage three different access methods: 1.) Client Based VPN Tunnels, 2.) IPSec Point-to-Point VPN Tunnels, and/or 3.) Direct Access Connectivity (i.e., bypassing the public Internet). Moreover, if the utmost network resiliency is required, customers can easily deploy all three of these access methods in-conjunction with each other. The descriptions below provide more details regarding the aforementioned access methods, and also connectivity scenarios for typical organizations.

Client Based VPN Tunnels

A virtual private network (VPN) is a virtual network built on top of existing physical networks that can provide a secure communications mechanism for data and control information transmitted between networks. VPNs are used most often to protect communications carried over public networks such as the Internet. A VPN can provide several types of data protection, including confidentiality, integrity, data origin authentication, replay protection and access control. This said, Tier 3 allows customers who wish to directly connect Windows, Linux and/or Macintosh based clients to their provisioned systems on Tier 3’s platform via a VPN client. This VPN connectivity is enabled by installing the OpenVPN software on the said operating systems. The software and instructions for installing the OpenVPN software can found on Tier 3’s Control portal.

Possible Connectivity Scenarios for OpenVPN/Client Based Systems:

1. Customers who have remote users and/or has no IT infrastructure except for Internet connectivity at their office can provision the OpenVPN client on its end-user’s desktops to connect to a complete backoffice infrastructure (Exchange, SharePoint/Wiki, ADP, File Server, etc) hosted on Tier 3’s platform.
2. A client may have a Point-to-Point VPN tunnel (please see below) configured between their corporate network and Tier 3’s, but the Client’s office Internet connectivity experiences an outage. In this event, user’s could access any hosted Tier 3’s systems from any remote Internet connectivity access point (e.g., coffee shops, home, etc) via their laptops with the OpenVPN client.

IPSec Point-to-Point VPN Tunnels

IPsec is a framework of open standards for ensuring private communications over public networks. It has become the most common network layer security control, typically used to create a VPN tunnel. There are two primary IPSec point-to-point tunnel configuration models Tier 3 supports, and they are as follows:

a)       Gateway-to-gateway. This model protects communications between two specific networks, such as an organization’s main office network and a branch office network, or two business partner’s networks.

b)       Host-to-gateway. This model protects communications between one or more individual hosts and a specific network belonging to an organization.

Possible Connectivity Scenarios for IPSec point-to-point tunnels:

1. A customer who wishes to extend their network and/or infrastructure to Tier 3’s platform.
2. Customer who may want to off-load their backoffice systems (e.g., Exchange, SharePoint, etc) from their network/premises and have Tier 3 provide these services instead, but would like to maintain one seamless/contiguous network to its end-users.  In addition with this scenario, a customer’s laptop/desktop would not need utilize the OpenVPN client while their system is connected to the corporate LAN. Although, if the OpenVPN infrastructure is configured, clients may connect into their corporate network and/or Tier 3’s platform when these users laptops are remote.
3. The host-to-gateway model is most often used to allow hosts on unsecured networks, such as traveling employees and telecommuters, to gain access to internal organizational services, such as the organization’s e-mail and Web servers.

Direct Access Connectivity

Ethernet connectivity via data center cross connects, MPLS networks, and/or other dedicated circuit services are available options for Tier 3’s customers who wish to bypass the public Internet and connect their infrastructure with dedicated connectivity.  Bypassing the public Internet and deploying dedicated connectivity can improve performance between networks since Internet bound traffic typically will need to traverse multiple geographic points of presence (POPs) to get to its final destination, and the locations of these POPs can change on a daily basis. Moreover, enabling direct connectivity bypasses multiple other issues that are inherent with the Internet – e.g., DDOS attacks, ISP outages, network over subscription, etc.

Possible Connectivity Scenarios for IPSec point-to-point tunnels:

1. If a customer has multiple branch offices, they can centralize all of their connectivity by meshing together all of their offices with a MPLS network, and then also extending this MPLS network to Tier 3. Enabling this type of architecture provides centralization of the Internet access and the security policies , and can be enforced from the head office.
2. Tier 3 customers who reside in Equinix’s data centers can leverage several connectivity options that will allow direct connectivity between Tier 3’s cage(s) and a customer’s infrastructure. This direct connectivity will allow for fast, low-latency secure connections for the perfect combination of private and enterprise-grade public cloud for those enterprises who want to securely extend their network into the cloud