Cloud Security - Network Isolation PDF

Summary

This document is a lecture note on Cloud Security, focusing on network isolation strategies. It covers workload isolation, network isolation, storage isolation, and application/data isolation in cloud environments.

Full Transcript

Cloud Security

1 Copyright © Ramesh Nagappan. All rights reserved.
 Cloud Security
Week 4 – Lecture 1

Ramesh Nagappan

Harvard University
2 Copyright © Ramesh Nagappan. All rights reserved.
 § Evolving Cloud Security Architecture
§ Building Secure Multitenancy
Week 4
Lecture - 1 § Secure Isolation Strategies
– Workload Isolation
– Network Isolation
– Storage Isolation
– Application & Data isolation

3 Copyright © Ramesh Nagappan. All rights reserved.
Multitenant Cloud Security

Secure
Isolation

Access APPS
COMPUTE STORAGE NETWORK
Control DATA

Data
Protection

Monitoring &
Auditing

4 Copyright © Ramesh Nagappan. All rights reserved.
Quick Recap
Compute/Workload Isolation options

§ Physical Isolation
Dedicated hosts
§ Virtual Machines
Type 1 Hypervisor
Type 2 Hypervisor
§ Containerization (Microservices)
OCI Standard
CRI Standard
§ Serverless Functions (Nanoservices)
API Endpoints
Accessible via API Gateway

5 Copyright © Ramesh Nagappan. All rights reserved.
Quick Recap
Multi-tenancy using Compute Isolation

Isolation Options
Servers/VMs
Containerization
API Functions

3R Availability Options
Datacenters
Availability Zone
Regions

6 Copyright © Ramesh Nagappan. All rights reserved.
Cloud Security Architecture : Building Blocks
Compute Network Storage Application/Data
Physical
§ Type 1 Hypervisor (VM)
Secure
§ Type 2 Hypervisor (VM)
Isolation
§ Application Containers
§ Functions

Data
Protection

Access
Control

Monitoring
and Auditing

7 Copyright © Ramesh Nagappan. All rights reserved.
 Cloud Infrastructure - Tenant Isolation
Critical Requirements
Workload Isolation
o Applications running in the cloud as workloads that share the system's resources, such as CPU, memory, and
networking. Workloads must be isolated from each other so that the tenants remain autonomous and secure within
the hosted infrastructure requiring secure implementation of runtime environment and virtual systems isolation.

Network Isolation
o The application data flow on the network transit share the Cloud network infrastructure and allow clients or other
hosts to connect to a particular endpoint. Network traffic and endpoints must be segmented and isolated to protect
from unauthorized/unwanted access so that the clients and communicating peers can securely access the tenant.

Storage Isolation
All guest tenants must have a dedicated storage for storing application data. The storage assignment must remain
isolated and it cannot be accessible to co-residents. The dedicated tenant storage can be a slice or group disks as
logical volumes or virtual hard disk, volume storage but it must be secure and isolated for use with the target guest.

Application/Data Isolation
All application and data pertaining to a guest tenant on the cloud must remain secure and isolated during transit, in
use and at rest. Application and data isolation must be maintained at the platform with controls that can help
isolation of application and data instances at runtime or Operating System environment.
8 Copyright © Ramesh Nagappan. All rights reserved.
Network Isolation
Why it is important ?

þ In a cloud configuration tenants share compute, network and storage resources from
the same underlying physical infrastructure. Without network isolation, tenants could
intentionally or unintentionally consume a large part of the network, intrusively see data
on the network that does not belong to them or invoke side-channel tenant attacks.

þ Cloud Providers typically want network isolation for resource management or network
security. In most cases, these Cloud Providers choose to combine both as a means to
satisfy tenant requirements.

9 Copyright © Ramesh Nagappan. All rights reserved.
Network Isolation in Cloud
Types of Network Isolation options

§ Network Traffic Isolation
– In a Cloud environment there are many cases where consumer traffic needs to be

isolated from untrusted network. Traffic isolation can be used to provide an initial layer
of security, higher bandwidth for specific tenants, implement specialized chargeback
policies, or to support tiered networks.

§ Network Security Isolation (Data Protection)
– Networks in a consolidated environment must be secure and authenticated against

trusted clients. Network traffic can be implemented using encryption (SSL/TLS,
IPSec) or authentication; i.e., allow or deny tenant service access using validation
rules.
10 Copyright © Ramesh Nagappan. All rights reserved.
Network Isolation
Physical vs. Virtualization

Traditional Network Virtual Network
(using Physical) (After Virtualization)

11 Copyright © Ramesh Nagappan. All rights reserved.
Image Courtesy : CSA Security
Physical Network Traffic Isolation
Technologies available to provide Network traffic isolation

þ Physical Segmentation
§ Uses separate “Network Interface cards” to carry traffic for logically
grouped applications.
§ Note that all network traffic is still carried across the same set of switches
and router, thus network convergence still exists. To have a completely
isolated network, a silo’ed network with separate networks and routes needs
to be in place.
þ A completely isolated network is not recommended as it does not promote optimal sharing of cloud
resources and adds significant management overhead.

12 Copyright © Ramesh Nagappan. All rights reserved.
 Does Virtualization help Network Isolation ?
þ With Virtual Networking, hypervisors can provide networking capabilities,
allowing the individual guest OSs to communicate with one another while
simultaneously limiting access to the external physical network.
Network interfaces that the guest OSs see may be virtual, physical, or both.

þ Typical hypervisors offer three primary forms of network access:
§ Network Bridging: Guest OS is given direct access via Host OS to the host’s network interface cards (NIC).
§ Network Address Translation (NAT). Guest OS is given a virtual NIC connected to a simulated NAT inside the
hypervisor. All outbound network traffic is sent through the virtual NIC to host OS for forwarding to a physical NIC.
§ Host Only Networking The guest OS is given a virtual NIC that does not directly route to a physical NIC In this
scenario, guest OSs can be configured to communicate with one another and, potentially, with the host OS.

þ Virtual networks can be built through logical isolation using VLANs in switches,
overlay networks and using Software-Defined Network (SDN) solutions.
13 Copyright © Ramesh Nagappan. All rights reserved.
Virtualized Network Traffic Isolation
Technologies available to provide Network traffic isolation

þ vNIC (Virtual Network Interface Controllers)
§ In a Virtualized environment, VNICs are the fundamental building block of
network virtualization. VNICs are created and assigned IP addresses as
communication end points.
§ A physical NIC is divided into multiple virtual interfaces (vNICs) to create
kernel isolated and dedicated network stacks. These physical network
interfaces can be presented as vNICs and shared between one or more
VMs. However, each vNIC interface is assigned a unique IP and MAC
address, thus from a layer 2 perspective each vNIC is distinct.
14 Copyright © Ramesh Nagappan. All rights reserved.
vNIC
Example configuration

§ VNICs are created on top of physical
interfaces (ex. link0)
§ From the application's point of view,
VNICs appear exactly like physical
interfaces
§ Typically, vNICs will be used in
conjunction with VLANs.
Operating System / Hypervisor

15 Copyright © Ramesh Nagappan. All rights reserved.
vNIC
Example configuration – Bandwidth control

§ vNICs can be created in both
hypervisor type-1 and virtualized
guest OS configurations.
§ Bandwidth can also be assigned to
vNICs to make certain that each
vNIC will have a minimum bandwidth
available, regardless of the
bandwidth usage of other virtual
machines sharing the same physical
NIC.
Operating System / Hypervisor

16 Copyright © Ramesh Nagappan. All rights reserved.
Virtual Switch
§ Virtual switch work typical to
Ethernet Switch
– Processes Layer 2 headers and perform Layer 2
forwarding using Hypervisor
– The ports on a virtual switch provide logical
connection points among virtual devices and
between virtual and physical devices.
– Allow creating Virtual LAN (VLAN) segmentation
at the port level
VM1 VM2 – VLAN tagging, stripping and filtering
Host / Operating System / Hypervisor – Access to a single VLAN is like an access port in
physical switch
– With access to multiple VLANs, leaving tags
intact, similar to trunk port in physical switch

17 Copyright © Ramesh Nagappan. All rights reserved.
Image source: VMWare
VLAN - Physical Network Traffic Isolation
Network segmentation for traffic isolation

þ VLAN (Virtual LAN)
§ In a Virtual LAN (an IEEE 802.1q standard), is a method for segregating
network traffic within a bridged LAN infrastructure. VLANs allow two logically
separated networks to use the same physical medium, while not allowing
them to intercommunicate without a layer 3 device (router).
§ This VLAN configuration is done at a “Physical Switch” and defines mapping
between VLANs and ports - referred to as “VLAN tagging”.
§ VLAN Tagging enables segmentation can be defined in the host server to
further isolate network traffic. Packets sent by a vNIC on a VLAN cannot be
seen by vNICs on other VLANs.

18 Copyright © Ramesh Nagappan. All rights reserved.
VLAN Topology
Understanding VLAN configuration and tagging
§ VLANs using Physical NICs or vNICs
on host computers/VMs helps to isolate
and segment on-premise physical or
virtual network resources.
§ VLAN configuration and tagging is
done at the switch and defines
mapping between VLANs and ports.
§ VLAN tagging helps isolation of
network traffic to a specific network
group.
§ In the context of VLANs, the term
"trunk" denotes a network link carrying
multiple VLANs, which are identified by
labels (or "tags") inserted into their
packets.
19 Copyright © Ramesh Nagappan. All rights reserved.
Image Courtesy : Lantech
VLAN – Known Limitations
“NOT” make sense to use in Cloud hosted Network ?
⌧ VLAN presents several limitations, which include:
o Broadcast limitations
o Device limitations – Most VLANs can only support about 500 ethernet
addresses per device
o Port limitations – All ports on the switch must be connected to VLAN
o Less efficient in terms of controlling network latency, requires decreasing the
network traffic in WAN/LAN
⌧ VLANs are ideal for on-premise data center and not suitable for cloud-based
network deployments as they lack critical isolation capabilities for multitenancy
20 Copyright © Ramesh Nagappan. All rights reserved.
On-Premise Network Isolation With VLAN
Deployment Scenario within an On-premise Datacenter

Firewall
net2
Virtualization Layer
Hardware Layer

21 Copyright © Ramesh Nagappan. All rights reserved.
 VXLAN - Cloud Overlay Networks
Overlay technology for building Layer 2 Network on Layer 3
þ VXLANs (Virtual eXtensible Local Area Networks) is a network
virtualization technology that helps to overlay Layer 2 networks over Layer
3 networks.
§ Enables building a scalable and flexible network segmentation in cloud environments
§ Assures Scalability supporting up to 16 million logical network segments (VXLAN segments)
§ Enables seamless workload mobility within and across data center
§ Works across different vendors' networking hardware and software
§ Traffic Isolation: Allows for secure “network” multi-tenancy in cloud environment to build Virtualized
data centers to accommodate multiple tenants and multiple virtual networks per tenant

þ VXLAN encapsulates Layer 2 Ethernet frames into UDP Packets over a
Layer 3 network - Utilizing MAC-in-UDP encapsulation.
§ Adds a VXLAN header with a 24-bit VNID (VXLAN Network Identifier)
§ VXLAN packets are forwarded based on the inner MAC address, enabling communication between
virtual machines across VXLAN segments.
22 Copyright © Ramesh Nagappan. All rights reserved.
VXLAN - Cloud Overlay Networks
Overlay technology for building Layer 2 Network on Layer 3

By enabling Layer 2 on Layer 3, VXLAN enables connect two or more
“Layer 3 network domains” and make them look like a common layer two
domain and across physical networks.
Makes it ideal for building Cloud network infrastructure allowing centralized control and policy
enforcement through Software-Defined Network controllers
23 Copyright © Ramesh Nagappan. All rights reserved.
Image source: ARISTA
Virtual Extensible LAN (VXLAN)
Overlay technology for building Layer 2 Network on Layer 3

þ VXLAN enables you to create a logical network for your physical and
virtual machines across different networks without VLAN limitations.
§ Devices that support VXLANs are called Virtual Tunnel Endpoints (VTEPs)—they can be end
hosts or network switches or routers. VTEPs encapsulate VXLAN traffic and de-encapsulate
that traffic when it leaves the VXLAN tunnel.
§ The transport protocol over the physical data center network is IP plus UDP.
§ VxLAN provides isolation by segmenting the traffic is limited to VxLAN network identifier (VNI)
§ This helps in creating multi-tenant network architectures, where a single infrastructure must be shared.

24 Copyright © Ramesh Nagappan. All rights reserved.
Input/Output (I/O) Virtualization

§ Input/Output virtualization abstracts physical I/O devices, such as network
interface cards (NICs), storage controllers, and graphics cards, into virtual
entities.
– Enables sharing among multiple virtual machines (VMs) or workloads.
– Enables the efficient utilization and management of I/O resources in virtualized environments by
decoupling the physical hardware through Emulation via Hypervisor – Not Scalable.
– Modern servers run about 50-100 virtual machines, but only have around 5-10 I/O devices. This is
clearly a problem - Solution : SR-IOV (Single Root I/O virtualization)
25 Copyright © Ramesh Nagappan. All rights reserved.
Image Courtesy: Ramin Moazani
SR-IOV : Single Root I/O Virtualization
High-performance I/O and Networking for Cloud
§ SR-IOV specification ratified by PCI-SIG.
– Defines a high-performance path bypasses the host computer or VM
from the datapath, reducing latency, jitter, and CPU utilization.
§ For example, a single physical network interface card (NIC) or other I/O
device to appear as multiple virtual devices, each with its own dedicated
resources and direct access to the underlying hardware.

§ SR-IOV allows PCIe devices to present itself
as multiple virtual interfaces.
– Introduces the idea of physical functions (PFs) and virtual functions
(VFs) for delivering high-performance and scalable I/O devices.
– For example, in a networking scenario SR-IOV addresses the I/O
limitation by offloading the networking tasks directly to the NIC
hardware.
§ It enables the NIC to create multiple virtual functions (VFs), each with its
own unique MAC address, VLAN tag, and other parameters.
– SR-IOV is used to improve Cloud hosted VM network performance,
reduce latency, and enhance the scalability of virtualized workloads
26 Copyright © Ramesh Nagappan. All rights reserved.
SR-IOV Advantages

SR-IOV
Enabled

§ Removing the virtual switch from the datapath removes the time packets spend in the host
enabling more data to be pushed at once.
– Offloading the policy enforcement to the hardware removing the host to VM communication and all
software interrupts and context switches, which is better for streaming data.
– SRIOV typically results in lower CPU utilization (by up to 50%), lower network latency (by up to
50%), and higher network throughput (by up to 30%)
27 Copyright © Ramesh Nagappan. All rights reserved.
Courtesy: Microsoft Azure
 Container Networking – Isolation Model
Containers rely on “Container Network
Interface (CNI)” standard that provides a
simple contract between the container
runtime and network plugins.
– CNI is a Cloud Native Computing
Foundation (CNCF) standard interface
– CNI establishes network isolation and
connectivity via the container runtime that
allocates a “network namespace” to the
container and assigns it with container id.
– The underlying network driver attaches the
container to the network and reports the
assigned IP address back to the container
via Container runtime.
28 Copyright © Ramesh Nagappan. All rights reserved.
Cloud Networking - Container vs Virtualization

*

* Container Runtime (e.g., Containerd, CRI-O)
29 Copyright © Ramesh Nagappan. All rights reserved.
Software Defined Networking (SDN)
§ Software-defined networking (SDN) is a
new approach to networking that provides
high-level abstraction of Networking
functionality
– Allows Network administrators to manage Network services
through abstraction of high-level APIs for applications.

§ SDN essentially acts a virtual software
switch or router and attempts to replace
traditional physical switches and routers from
making traffic decisions.
– SDN introduces the notion of Network OS (NOS) that
interacts with the switches.
– Decouples the Network devices with a control plane for
making traffic decisions.

§ OpenFlow is the specification and
implementation standard for SDN.
30 Copyright © Ramesh Nagappan. All rights reserved.
OpenFlow

§ OpenFlow platform allows for the de-coupling of a network device’s control
plane from the data plane
– In a network device, Control plane is considered as the brain and data plane is the packet forwarding engine.
– OpenFlow APIs directly interface with the hardware tables (example: Forwarding Information Base, or FIB) that
exist on networking devices instructing the device how to forward traffic.
– The data can be flow level data, routing tables, FIB tables, interface statistics, MAC tables, VLAN tables, serial
numbers, and the list can go on.
– Google Cloud builds on OpenFlow platform
31 Copyright © Ramesh Nagappan. All rights reserved.
Image source: OpenFlow
SDN driven Network Virtualization
SDN abstracts the network management
plane from the underlying physical
infrastructure, removing many typical
networking constraints.
Overlay multiple networks, even ones that
completely overlap their address ranges, over the
same physical hardware, with all traffic properly
segregated and isolated.
Enables Cloud provider to deliver self-
service provisioning of network resources.
Global network view
Protocol-independent configuration of network
device
Abstraction hides details of forwarding hardware
using software settings and API calls, which
supports orchestration and agility.
32 Copyright © Ramesh Nagappan. All rights reserved.
Virtual Networking
Isolated Network running Isolated tenants in a Public cloud
q Software Defined Networking (SDN)
provides the mechanisms to centrally,
dynamically and programmatically configure
“Virtual networks”.
The notion of Virtual network defines the ability to
deploy, manage and control an autonomous tenant.
(10.0.2.0/24)
Popularly called as Virtual Private Cloud (VPC) it
subnet is a logically isolated datacenter from all other cloud
subnet
(10.0.1.0/24) tenants.
Ex. AWS VPC, Azure Virtual Network, Google VPC
q Logical isolation of network rely on the virtual
network functions and security features that
(10.0.0.0/16)
gives the Cloud customer control over
network bound resources
A group of IP addresses or services that establish
an isolated address space in cloud and further
divided into automatically routed subnets.
34 Copyright © Ramesh Nagappan. All rights reserved. Image: Azure Virtual Network
Virtual Networking in Cloud
The Virtual Private Cloud (VPC) - Scope of IP addressing
þ A Virtual Network (or VPC) is a logical data center typically deployed in a Public
cloud bound to a datacenter in a region.
§ Within the region, the network may span in multiple availability zones (independent
fault domains)
§ Virtual networks are identified with IP Addressing prefixes (CIDR blocks)
enable communication between the availability zones a VPC spans.
§ The size of a prospective Virtual network is based on the IP addressing
scheme - CIDR (For ex. 10.0.0.0/16 represents 65,536 addresses in IPv4)
þ Subnets can be created within the scope of an IP address prefix.
§ Typically, a subnet must be contained completely within a single, existing IP address
prefix.
§ The Cloud provider will use an implicit router to establish connectivity between all
subnets created within a Virtual network.
35 Copyright © Ramesh Nagappan. All rights reserved.
Understanding IPv4 and IPv6
Scope of IP addressing
þ The two most common versions of IP in use today are Internet Protocol
version 4(IPv4) and Internet Protocol version 6 (IPv6).
§ Both IPv4 (32 bit) and IPv6 (128 bit) addresses come from finite pools of numbers.
§ For IPv4, the address space is 32-bits (232) in size which contains 4,294,967,296 IPv4 addresses
theoretically has more than 4.3 billion IP addresses
§ Only 3.7 billion are available for public use because the rest is reserved for special purposes
(e.g. 224/4 for multicast) or future use (240/4)
§ For IPv6, the address space is 128-bits (2128) in size, containing (approximately 340 Undecillion)
340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses.
§ In a typical network, not every IP address in the IPv4 or IPv6 pool can be assigned
to the machines and devices used to access the Internet – Some are reserved.
§ IP addresses can be taken from the IPv4 or the IPv6 pool and are divided into two
parts, a “network section” and a “host section”.
§ The network section identifies the particular network, and the host section identifies the particular node.

37 Copyright © Ramesh Nagappan. All rights reserved.
IPv4 – IP Version 4
Anatomy of an IPv4 Packet Communication

38 Copyright © Ramesh Nagappan. All rights reserved.
IPv4 Address
How it looks like ?
§ An IP address is a 32-bit (4 bytes) long identifier
– Encodes a network number (network prefix) and a host number

§ IP addresses are written in four ”octets” each using 8-bit so-called quad
dotted decimal notation
§ Each byte is identified by a decimal number in the range [0..255]:

39 Copyright © Ramesh Nagappan. All rights reserved.
IPv4 : Network Prefix & Host Number
How it looks like ?
§ The network prefix identifies a “network prefix” and the “host number” identifies
a specific host (actually, interface on the network).

128.143 137.144
§ How do we know how long the network prefix is?
– The network prefix used to be implicitly defined (unlike classful-based
addressing - A,B,C,D…)
– With CIDR, the network prefix now is flexible and is indicated by a
prefix/netmask (classless).

40 Copyright © Ramesh Nagappan. All rights reserved.
IPv6 – IP Version 6
Anatomy of IPv6 comparing IPv4

41 Copyright © Ramesh Nagappan. All rights reserved.
IPv6 – IP Version 6
Understanding IPv6 ?
§ IPv6 is a significant increase in size of the IP address to 128 bits (16
bytes) written using hexadecimal digits for each integer.
– Can represent more than 340 short-scale undecillion different values
– IPv6 can provide 2128 = (232)4 » 4 billion x 4 billion x 4 billion x 4 billion addresses

§ IPv6 removes several IPv4 header fields or moves them to the IPv6
extension headers to reduce the length.
– The basic IPv6 packet header has a fixed length of 40 bytes to simplify IPv6 packet handling and
to improve the forwarding efficiency.
– Although an IPv6 address size is four times larger than an IPv4 address, the basic IPv6 packet
header size is only twice the size of the option-less IPv4 packet header.

§ Larger address space: The source and destination IPv6 addresses are
128 bits long.
42 Copyright © Ramesh Nagappan. All rights reserved.
IPv6 Addressing & Classes
Role of Network addressing in IPv6
þ An IPv6 address is a 128-bit hexadecimal address used to uniquely identify
devices on a network.
§ Represented in eight groups of four hexadecimal digits separated by colons
§ For example - a valid IPv6 address will be:
2001:0DB8:7654:0010:FEDC:0000:0000:3210

þ A hexadecimal number can reflect 16 (24) different values (0-9, A-F) which
corresponds to exactly 4 bit. Since every group consists of four hexadecimal
numbers, each group has 16 bit (216)
þ Major difference an IPv4 host and an IPv6 host.
§ An IPv4 host typically uses one IP address; but an IPv6 host can have more than one IP address
43 Copyright © Ramesh Nagappan. All rights reserved.
IPv6 Allocation and Address Formats
§ The IPv6 addresses identifies allocation plans to registry, provider, subscriber,
subnetwork and interfaces.

§ Registry: identifies the agency that registered the address
§ Provider: Id of Internet access provider
§ Subscriber: Id of the organization at provider
§ Subnetwork: Id of subnet within organization
§ Interface: identifies an interface at a node
– IPv6 addresses are separated into two 64-bit parts - the first on the left is the subnet prefix and the
second on the right is the interface identifier (IID), which is 64-Bit Extended Unique Identifier (EUI-64)

– IPv6 provides address formats for:
§ Unicast – identifies a single interface
§ Multicast – identifies a group. Datagrams sent to multicast address are sent to all members of the group
§ Anycast – identifies a group. Datagrams sent to an anycast address are sent to one of the members in the group.
44 Copyright © Ramesh Nagappan. All rights reserved.
 IP Addressing - Classes
Classful Inter-domain Routing in IPv4 (Educational Purposes)

þ IP Network Addressing & Classes (1981 – 1993)
Divides the IP address for Internet Protocol (IPv4) into
five address classes (Classful Inter-domain Routing).
o Class A address has the first octet as the network portion 192 168 1 15
and remaining 3 are the host portions IP address - Ex. 192.168.1.15
Ø Address are in the range of 1 – 126.xxx.xxx.xxx and its network mask is
defined as 255.0.0.0
Ø 127.0.0.1 is the loop back IP address for localhost.
o Class B address has the first & second octets as the
network portion and remaining 2 are the host portions
Ø Address are in the range of 128 – 191.xxx.xxx.xxx and its network mask is
defined as 255.255.0.0
o Class C address has the first, second and third octets as
the network portion and remaining one is the host portion
Ø Address are in the range of 192 – 223.xxx.xxx.xxx and its network mask is
defined as 255.255.255.0
o Class D (multicast applications) & Class E are special
purpose network addresses not assigned and reserved.
45 Copyright © Ramesh Nagappan. All rights reserved.
 IP Addressing - CIDR (pronounced CIDER or CEDER)
Classless Inter-Domain Routing

þ CIDR is a packet routing system used to allocate IP address blocks.
þ An IP address can be considered to have a network address and a host
identifier.
þ Helps describing a block of IP addresses that can be applied to network configurations.

q CIDR helps to identify the number of IP addresses available in the block including first
IP, last IP and the Subnet Mask
o For example (using IPv4): 192.168.1.0/24

46 Copyright © Ramesh Nagappan. All rights reserved.
Image source: cidr.xyz
CIDR – Classless Inter-Domain Routing
Why it is important?
§ Restructure IP address assignment to support Subnetting and increase
Routing efficiency
§ Hierarchical routing aggregation with “Group of IP addresses” and
minimizing route table entries
§ CIDR helps to identify the length of the network id (Prefix) in IP
addresses
– Routers use the IP address and the length of the prefix (CIDR) for forwarding
– All advertised IP addresses must include a CIDR prefix

§ The CIDR notation of a IPv4 network address : 192.0.2.0/18
– The CIDR prefix /18 states the first “18” bits are the network part of the IP address

47 Copyright © Ramesh Nagappan. All rights reserved.
IPv4 Addressing using CIDR
Example
§ host101.east.Harvard.edu
– IP address is 128.143.137.144
– Is that enough info to route packets ?
§ No, need netmask or prefix at every IP device (host and router)
§ CIDR Prefix notation for IP address is: 128.143.137.144/16
– Network prefix is 16 bits long

§ Network mask is: 255.255.0.0 or hex format: ffff0000
-----> Network id (IP address AND Netmask) is: 128.143.0.0
-----> Host number (IP address AND inverse of Netmask) is: 137.144

128.143 137.144
48 Copyright © Ramesh Nagappan. All rights reserved.
CIDR IPv4 Example: 10.0.0.0/16

þ What does it mean ?
§ The /16 in the CIDR notation
represents how many of the bits
locked down.
§ The unlocked bits can change
between 1 and 0, allowing the full
range of possible values
o Lowest possible IP: 10.0.0.0
o Highest possible IP: 10.0.255.255
o i.e 65,536 addresses

49 Copyright © Ramesh Nagappan. All rights reserved.
 CIDR
þ CIDR
§ The CIDR notation is calculated from
the number of ones in the subnet
mask when it is converted to binary.
§ For ex., subnet mask of 192.168.1.0 is
255.255.255.0 – The CIDR will be /24
§ it converts to
11111111.11111111.11111111.00000000 in binary.
§ Add those ones up, and you get 24

§ For quick reference, use: https://cidr.xyz
§ Download this chart
q https://www.ripe.net/about-us/press-centre/IPv4CIDRChart_2015.pdf

50 Copyright © Ramesh Nagappan. All rights reserved.
Using CIDR in IPv4 Networks
How does it work in creating IPv4 Networks?
§ Create blocks of IP address space using CIDR
and allocate them as address blocks to a
network.
§ Example: 206.0.64.0/18
§ Assume the Cloud customer owns the address
block 206.0.64.0/18
– It represents 16,384 (232-18=214) IP host addresses
– 214 means 262,144 host addresses

§ Suppose a Subnet needs to host 800 IP devices
Ø Assigning a /22 block, i.e., 206.0.64.0/22 -> gives a
block of 1,024 (210) IP addresses to client.
51 Copyright © Ramesh Nagappan. All rights reserved.
Subnetting and CIDR
How it helps in IPv4 networks?
§ In subnetting, the network prefix and the subnet number make up an
extended network prefix (for specifying network allocation space).
– The extended prefix can be expressed in terms of using CIDR notation, by
adding the length of the extended subnet mask after the IP address.
— For example, with 128.143.137.144/16.
— 128.143.0.0/16 is the IP address of the primary network (say VPC)
— 65,236 addresses
— 255.255.0.0 is the netmask of the primary network (or network prefix /16)
— For example, 128.143.137.0/24 is the IP address of the subnet
— 256 addresses
— 255.255.255.0 is the subnet mask (or subnet prefix /24)
— For example, 128.143.137.144/32 is the IP address of the host
— 1 address
52 Copyright © Ramesh Nagappan. All rights reserved.
Introduction to IP Subnets
Network isolation using IPv4 Ranges in Cloud

þ IP Subnetting is logical partitioning and segmentation of an IP network to
separate a larger network into smaller multiple networks for reorganization
and security purposes.
o All nodes (hosts) in a subnet would see all packets transmitted by any node in
a network.
þ Host belonging to an IP subnet are addressed with a logical division of an IP address
with two fields – “Host/Network Interface” and “Routing Prefix”
o Routing prefix is expressed in Classless Inter-Domain Routing (CIDR) notation
written with first IP address of a network, followed by / character, and ending
with the bit-length of the prefix.
q ex. 192.168.1.0/24

53 Copyright © Ramesh Nagappan. All rights reserved.
Using CIDR in Practice - VPC and Subnets
Creating VPC and Subnets (AWS example)
§ Choose a Master CIDR for the VPC that
determines the number of subnets and IP
addresses that you can create inside your VPC
– Master CIDR is irreversible.
– For example, 10.0.0.0/16 = all IP addresses from
10.0.0.0 to 10.0.255.255
– you can choose a CIDR block that is as small as a
/28 or as large as a /16. A /28 will provide you with
16 IP addresses and a /16 will provide you with
65,536 IP addresses
Example showing a Master CIDR –
§ To create subnets, you must avoid overlapping 10.10.0.0/16 for VPC that hosts 5 subnets.
addresses with the VPC, co-existing subnet and Each subnet uses /24 that allows to host
your on-premise network (in case of hybrid services using 256 IP addresses
cloud)
54 Copyright © Ramesh Nagappan. All rights reserved.
VPC and Subnets
Applying the CIDR ranges

§ Typically, a cloud provider will allow to use CIDR
ranges between /16 and /28
– For every step, a CIDR increase will decrease the
number of IP addresses in the range cut in half.
§ Let’s assume you are tasked to use a Master CIDR
10.0.0.0/16 for your VPC
– 10.0.0.0/16 allows for 65,536 IP address

§ Using the VPC with Master CIDR 10.0.0.0/16, if you
are tasked to create 2 subnets with equally
allocated IP addresses
– Subnet 1 with 10.0.0.0/17 allows for 32,768 addresses
– Subnet 2 with 10.0.128/0 allows for 32,768 addresses

55 Copyright © Ramesh Nagappan. All rights reserved.
Virtual Private Cloud (VPC) Networks
Logical Isolation of Networks in Public Cloud
þ VPC or Virtual Network
§ An isolated private network on Public Cloud, where customers (Cloud
consumers) can attach compute VM instances and other services.
o Assures logical network isolation and segmentation for VM instances and services
residing in a VPC from other VM instances and services residing in another VPC.
Network traffic cannot be exchanged between VPCs unless explicit permissions are
granted.
Allows for IP address reuse among VPCs in a Cloud infrastructure. Same CIDR block
range can be used by multiple VPCs without conflict.
o Each VPC defines an implicit router that will get packets for Subnets residing within
the VPC
o By default, each VPC is created with a single routing table that gets bound to every
subnet residing within a VPC
56 Copyright © Ramesh Nagappan. All rights reserved.
Network Isolation with VPCs and Subnets
Running Multi-tier Architectures (Web & Database Applications)

Load balancer Load balancer

Note: Network traffic cannot be exchanged between VPCs unless explicit
permissions are granted.

57 Copyright © Ramesh Nagappan. All rights reserved.
Virtual Private Cloud (VPC) Networks
Logical Isolation of Networks in Public Cloud

10.0.0.0/16
10.0.0.0/16

58 Copyright © Ramesh Nagappan. All rights reserved.
Image source: AWS, Microsoft, Google
Network Isolation with VPC & Subnets (High Resiliency)
Running Subnets on different Availability Zones for Fault Isolation

Load balancer Load balancer

Availability Zone A Availability Zone B
Availability Zone A Availability Zone B

Note: Network traffic cannot be exchanged between VPCs unless explicit
permissions are granted.

59 Copyright © Ramesh Nagappan. All rights reserved.
 Subnet based Network Isolation
Partitioning Networks using CIDR Ranges
þ Build Data Centers by partitioning Networks.
þ Create and Partition Logical data centers in Cloud
Ex. Virtual Private Cloud (VPC) in AWS
10.5.0.0/16
þ Let’s assume we use a Master CIDR block of
10.5.0.0/16 for our VPC
10.5.1.0/24 (Public DMZ Subnet)
§ 65,536 addresses
§ First IP address will be 10.5.0.1 10.5.2.0/24 (Private App Subnet)

§ Last IP address will be 10.5.255.254
§ Netmask will be 255.255.0.0 10.5.3.0/24 (Private App Subnet)

o Using the Master CIDR, now we can create
Isolated Subnets – ex. 3 subnets Virtual Private Cloud

o 10.5.1.0/24 (Subnet 1 – Public DMZ) AWS cloud
o 10.5.2.0/24 (Subnet 2 - Private App)
o 10.5.3.0/24 (Subnet 3 - Private DB)
60 Copyright © Ramesh Nagappan. All rights reserved.
Organizing Subnets Internet
Partitioning Networks based on Functional Tiers Users

þ Public Subnet
þ Subnet privileged with Internet accessibility
allowing Inbound/Outbound network traffic
Internet
Includes a Routing Table entry to support Public Internet 10.5.0.0/16
gateway
access via an Internet Gateway or VPN Gateway
Ex. Public DMZ Subnet (10.5.1.0/24) 10.5.1.0/24 (Public DMZ Subnet)

þ Private Subnet
10.5.2.0/24 (Private App Subnet)
þ Subnets NOT accessible from Internet
þ Do not have a routing table entry to access 10.5.3.0/24 (Private DB Subnet)
Internet gateway or Outbound only access
þ Access granted via a Bastion host or NAT proxy) Virtual Private Cloud
to ensure restricted access AWS Cloud
o Private App Subnet (10.5.2.0/24)
o Private DB Subnet (10.5.3.0/24)
61 Copyright © Ramesh Nagappan. All rights reserved.
Building Multiple VPCs (AWS)
Hosting Multiple VPCs in AWS (Isolated Data Centers)

10.5.0.0/16 10.6.0.0/16 10.6.0.0/16

10.5.1.0/24 (Public DMZ Subnet) 10.6.1.0/24 (Public DMZ Subnet) 10.6.1.0/24 (Public DMZ Subnet)

10.5.2.0/24 (Private App Subnet) 10.6.2.0/24 (Private App Subnet) 10.6.2.0/24 (Private App Subnet)

10.5.3.0/24 (Private App Subnet) 10.6.3.0/24 (Private App Subnet) 10.6.3.0/24 (Private App Subnet)

Virtual Private Cloud -
Production Virtual Private Cloud - QA Virtual Private Cloud - Development

AWS Cloud – XYZ Company

62 Copyright © Ramesh Nagappan. All rights reserved.
AWS VPC – Example Network
CIDR/16 VPC with CIDR/24 Subnets Internet
Users

þ VPC
Virtual network dedicated to your AWS
account and logically isolated from other Internet
gateway
virtual networks in AWS. 10.5.0.0/16

þ CIDR/16
u 10.5.0.0/16 (65,236 addresses) 10.5.1.0/24
(Public DMZ Subnet) Web
NAT Servers
þ Public Subnet gateway

Ex. 10.5.1.0/24 (256 addresses)
10.5.3.0/24 Database
þ Private Subnet (Private DB Subnet) Servers

Ex. 10.5.3.0/24 (256 addresses)
Note: Virtual Private Cloud

§ AWS reserves 5 addresses per subnet (First 4 addresses AWS Cloud
and last IP address of the subnet) – For management
purposes – VPC router, DNS, Last IP address to restrict
63
network broadcast in VPC).
Copyright © Ramesh Nagappan. All rights reserved.
Directing Network Traffic
Securing Inbound and Outbound Traffic Flows on Functional Tiers Internet
Users

þ Public Subnet
þ Use Internet Gateway to allow
Inbound network traffic Internet
gateway

þ Use a NAT Gateway to allow 10.5.0.0/16

outbound traffic (without disclosing
Private IP addresses) 10.5.1.0/24
(Public DMZ Subnet)
NAT
Web
Servers
gateway
Prevents Private instances getting direct
Internet requests
Protects Private IP disclosures 10.5.3.0/24 Database
(Private DB Subnet)
(vulnerable to DoS/DDoS attacks) Servers

þ Private Subnet
þ Use NAT Gateway to securely allow Virtual Private Cloud

Outbound traffic for applications AWS Cloud

requiring external Internet access.
64 Copyright © Ramesh Nagappan. All rights reserved.
 Directing Network Traffic
Scope of Gateways on Inbound and Outbound Traffic Flows Internet
Users

þ Internet Gateway allow Ingress (Inbound) Internet
gateway
and Egress (Outbound) access 10.5.0.0/16

þ Typically, accessible from Public Subnet
10.5.1.0/24
§ In the case of IPv4, when traffic is sent from a (Public DMZ Subnet)
NAT
Web
Servers
host instance, the Internet gateway maintains gateway

one-to-one mapping of the host instance
Private IP address to Public IPv4 address. 10.5.3.0/24 Database
(Private DB Subnet) Servers
§ In case of IPv6, when traffic is sent from the
host instance to the Internet, the Internet
gateway forwards the instance’s source IPv6 Virtual Private Cloud
address unchanged.
AWS Cloud

65 Copyright © Ramesh Nagappan. All rights reserved.
Directing Network Traffic
Scope of Gateways on Inbound and Outbound Traffic Flows Internet
Users

þ NAT Gateway securely allows
Outbound traffic for applications requiring
Internet
external Internet access without exposing gateway

IP addresses of Private subnet hosted 10.5.0.0/16

instances.
10.5.1.0/24
þ Allows outbound traffic securely means... (Public DMZ Subnet)
NAT
Web
Servers
gateway
§ Connections originating from outside your
VPC cannot reach host instances
10.5.3.0/24
residing in your Private subnet. (Private DB Subnet)
Database
Servers

q NAT is not supported in IPv6, instead the
host instance send traffic to a
Virtual Private Cloud
”Egress/Outbound traffic only” Internet
AWS Cloud
Gateway.

66 Copyright © Ramesh Nagappan. All rights reserved.
 CIDR in IPv6
þ Identifies the network portion of an IPv6 address and its
associated prefix length allowing for representation and
management of IPv6 networks
þ Creating CIDR notation for IPv6 addresses involves specifying the
network prefix length in bits after the IPv6 address.
§ An IPv6 address consists of eight groups of four hexadecimal digits separated by
colons
§ For example: a valid IPv6 address will look like:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
§ For example, a prefix length of 64 indicates that the first 64 bits of the
address are the network portion, while the remaining 64 bits are reserved for
host addresses. if you want to create a network with a prefix length of 64
bits:
2001:0db8:85a3:0000::/64
§ Optionally, you can abbreviate the IPv6 address by removing leading zeros in each group
and replacing consecutive groups of zeros with double colons (::)
2001:db8:85a3::/64 Reference:
https://www.cidr.eu/en/ipv6
67 Copyright © Ramesh Nagappan. All rights reserved.
Using CIDR in IPv6 based Cloud VPC
How does it work in creating IPv6 Networks?
§ Create the VPC allocating the CIDR block of IPv6 address space to a network.
– Example: 2600:1f16:23d1:7b00::/56
– IPv6 CIDR blocks are typically represented using the /64 prefix length. Some cloud providers may allow
you to allocate larger or smaller CIDR blocks
§ Create subnets, route tables, security groups, and other networking resources within the VPC.
– Assign IPv6 addresses to the subnets within the VPC
§ For example:
Subnet 1: 2600:1f16:23d1:7b00::/64
Subnet 2: 2600:1f16:23d1:7b01::/64
Subnet 3: 2600:1f16:23d1:7b02::/64
§ Enable IPv6 DNS and VM support
– Enable IPv6 DNS support using Cloud-DNS servers to resolve IPv6 address enabled VM instances.
– For the VMs, allow automatic assignment of IPv6 addresses using stateless address auto-configuration
(SLAAC) or DHCPv6

68 Copyright © Ramesh Nagappan. All rights reserved.
Bastion Host / Jumpserver - Network Isolation
Dedicated Private Connection from Cloud to On-premises / Trusted peers

SSH / RDP
Bastion

Trusted
Client

§ Bastion hosts are dedicated hosts or virtual machines that reside in Public subnet for
supporting remote access from on-premises or trusted peers
§ Helps to isolate and establish connection
§ Typically accessed using SSH or Windows RDP
— Once remote connection established with the Bastion host it allows to use SSH or RDP to
login to other instances with in your VPC
§ Inbound and outbound access must be restricted at the protocol level using Network and Host-
based firewalls (Security groups)
§ Inbound access must be restricted to specific IP addresses
69 Copyright © Ramesh Nagappan. All rights reserved.
Border Gateway Protocol (BGP)
Exchange routes between On-premises router to Cloud Provider
§ BGP (Border Gateway Protocol) is an Exterior Gateway “Routing Protocol” (EGP)
designed to exchange path prefix information between different autonomous
networks.
§ Enables fully-isolated dedicated private connectivity between on-premises datacenter and Cloud
providers
§ Assures enabling private connectivity in Hybrid Cloud scenarios
§ BGP neighbors build peering connections over TCP and exchange routing information (prefixes).
§ In BGP, a set of routers inside a single administrator authority form an Autonomous System (AS).
§ BGP uses Autonomous System Number (ASNs) which is a number between 1 and 64,511 (public)
and 64,512 and 65,535 (private) assigned to an AS for the purpose of identifying a specific BGP
domain.
§ Allocated by a Regional Internet Registry (RIR), who also handle allocation of IP addresses to networks.
§ BGP enables your traffic flows between on-premises locations and Public Cloud
providers.
§ Examples: AWS Direct Connect, Azure Express Route, Google Interconnect
70 Copyright © Ramesh Nagappan. All rights reserved.
Direct Connect to Public Cloud Services (AWS)
Direct Connect Routing - On-premises Data Center and AWS Public Services

To bridge an on-premises data center connectivity to AWS Public service via BGP
Build a BGP session to a Public VIF of AWS service
The on-prem router will now learn the all the public prefixes that belong to AWS
This means that a user/server on-prem will access ‘public services’ (such as an S3 bucket) via the Direct Connect
instead of going over the Internet.
§ Establishes private dedicated connection from datacenter VLANs to AWS backbone via
Public VIF
§ Reliable connectivity and network performance to connect to AWS endpoints (ex. S3)
71 Copyright © Ramesh Nagappan. All rights reserved.
Source: Nicovibert
Direct Connect to VPC (AWS)
Private Connection between On-premises Data Center and AWS VPC

§ To bridge an on-premises data center connectivity to AWS VPC via BGP
Build a BGP session to a Private VIF of AWS service
The on-prem router will now learn the all the public prefixes that belong to AWS
This means that a user/server on-prem will access ‘VPC hosted services’ (such asEC2) via the Direct Connect.
§ Establishes private dedicated connection from datacenter VLANs to AWS backbone via
Private VIF
72 Copyright © Ramesh Nagappan. All rights reserved.
Source: Nicovibert
Hybrid Cloud: Private Connection
Hybrid Cloud AWS and On-premise Datacenter - Deployment Scenario

Support
Direct Connect
Support
BGP Channel
Direct Connect
Provider ISP

HR

HR
Engineering

Engineering

Development

Development teams
VLANS VIFs
On-premise (Accessible from
Datacenter public & private
subnets)
*VIF refers Virtual NIC (Ethernet) – Which can be Private or Public accessible
73 Copyright © Ramesh Nagappan. All rights reserved.
Immutable Networks
Read-Only Network configurations - “Infrastructure as Code”
þ Immutable network infrastructure is a software-defined read-only network
configuration.
§ Builds on the concept of “Infrastructure as Code”, where the configuration is performed entirely
through code and configuration files, with validation checks ensuring that the running configuration
always matches the defined desired state.

§ Ex. AWS CloudFormation, Azure Resource Manager (ARM), Terraform

§ Widely adopted in DevOps environment

þ Achieving immutability means that there is no difference between settings
defined in the configuration and those implemented – Any changes to the setting
is flagged as “Configuration Drift”.
þ Periodic checks need to take place to detect configuration drift and trigger
remediation tasks or alerts upon finding a drift.
74 Copyright © Ramesh Nagappan. All rights reserved.
Dedicated Network Tenancy
Single Tenant Network, Dedicated VMs and Dedicated Hosts
þ Single Tenant Network (Dedicated Tenancy)
§ This network assures all virtual machine instances are run on hardware specific to a
Cloud customer.
§ Typically operates on dedicated racks and network segment providing the customer
with their own isolated hosts and network.
§ Dedicated tenancy helps to ensure data confidentiality and data residency to meet
compliance requirements (e.g HIPAA)

þ Dedicated VMs
§ Dedicated virtual machines and virtual storage allocated to the customer

þ Dedicated Hosts & Storage
§ An entire physical host and storage unit allocated for the “Cloud Customer” but the
customer may share other multi-tenant resources.
75 Copyright © Ramesh Nagappan. All rights reserved.
Compute vs Network Isolation
§ By Design, Host Virtualization and Virtual Networking are intended to
provide workload and network isolation securely while isolated from one
another.
– Isolation enables multiple virtual machines to run securely while sharing host and network
boundaries ensures both their ability to access service with uninterrupted performance.
§ Even a user with administrator privileges on a VM’s guest OS cannot breach this layer of isolation
to access another VM in or outside network without privileges explicitly granted by the Hypervisor.
§ If a VM crashes, all other virtual machines on the same host infrastructure continue to run.
– Although VMs share physical resources exposed by hypervisor, a guest OS on a VM
cannot detect any device other than the Virtual machine available to it.
§ Resource capping by setting limits to System resource utilization (CPU, Memory, Network etc)
helps VM from performance degradation if another VM consumed excessive hardware resources.
– The guest OS failure has no effect on:
§ Ability of users to access the other virtual machines within or outside the network
§ Ability of the operational VMs to access the network resources they need.
76 Copyright © Ramesh Nagappan. All rights reserved.
Management and Client Access Network Isolation
§ Management Network Isolation must be enforced to carry out all
management operations (for Host/Network hardware/software, Hypervisors)
securely by using a dedicated network segment.
– All management interface of the hypervisor and host hardware should be placed in a dedicated virtual
network segment and access to that interface should only be allowed from designated subnets in the
enterprise network privileged to Cloud provider administrators.
– All applications and guest OS installation and provisioning must be carried out using a dedicated virtual
network segment privileged to Application and VM/Guest OS administrators.
– Management Network services must be decoupled from Cloud consumer/Guest access network.

§ Client Access Network Isolation must be enforced to assure that all Cloud
consumer tenant traffic are isolated to dedicated network connections (ex.
SSH, VPN, TLS) hosting the target resources dedicated to the tenant (ex.
VMs/Hosts, Virtual Network and Application resources.
77 Copyright © Ramesh Nagappan. All rights reserved.
Cloud Security Architecture : Building Blocks
Compute Storage Network Application/Data
§ VNIC, vSwitch
Physical
§ VLAN, PVLAN, VXLAN
§ Type 1 Hypervisor (VM)
Secure § IPv4/IPv6 addressing
§ Type 2 Hypervisor (VM)
Isolation § VPC, Subnet, Gateways
§ Application Container
§ SDN, SR/IOV
§ Functions
§ Bastion Host, BGP

Data
Protection

Access
Control

Monitoring
and Auditing

78 Copyright © Ramesh Nagappan. All rights reserved.
 § Evolving Cloud Security Architecture
§ Building Secure Multitenancy
Week 4
Lecture - 2 § Secure Isolation Strategies
– Workload Isolation
– Network Isolation
– Storage Isolation
– Application & Data isolation

79 Copyright © Ramesh Nagappan. All rights reserved.
References / Work Cited
Network Virtualization
http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf
http://www.lantechcom.co.za/global/eng/Support/TT_VLAN.html
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVL
ANs.html
https://www.arista.com/assets/data/pdf/Whitepapers/Arista_Networks_VXLAN_White_Paper.pdf
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Network_Virtualization/sccsolover.html
https://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdf

Software Defined Networking
https://www.opennetworking.org/sdn-resources/openflow
https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf

CIDR & Subnets
http://cidr.xyz
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#vpc-subnet-basics

SR-IOV
http://www.intel.com/content/www/us/en/pci-express/pci-sig-sr-iov-primer-sr-iov-technology-paper.html
80 Copyright © Ramesh Nagappan. All rights reserved.
References / Work Cited
Border Gateway Protocol
http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf

Container Networking
https://www.opennetworking.org/sdn-resources/openflow
https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf

CIDR & Subnets
http://cidr.xyz
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#vpc-subnet-basics

SR-IOV
http://www.intel.com/content/www/us/en/pci-express/pci-sig-sr-iov-primer-sr-iov-technology-paper.html

81 Copyright © Ramesh Nagappan. All rights reserved.