service activation overview - at&t cloud solutions · 2019. 10. 2. · using the at&t cloud...

© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property

and/or AT&T affiliated companies. Salesforce marks are the trademarks and service marks of Salesforce. All other marks contained herein are the property of their respective owners. The

information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change..

AT&T NetBond® for Salesforce®

Service Activation Overview

NetBond Service Activation Overview for Salesforce

© 2017 AT&T Intellectual Property. All rights reserved.

AT&T NetBond allows AT&T customers to extend their MPLS virtual private network to cloud services such as Salesforce. With NetBond enabled, the Salesforce service will appear as another site on the VPN. Customers can then reach their Salesforce applications with better scalability, improved security, and greater availability.

Using the AT&T Cloud Services Portal, the NetBond service can be quickly provisioned. The next few slides provide an overview to plan and enable the service.

Prior to enablement, the customer should have or procure a Salesforce subscription. They should also work with the AT&T account team to sign up for NetBond cloud services. Upon contract signing, the customer will receive a welcome email for credentials to www.synaptic.att.com.

http://www.synaptic.att.com/



Example Scenario – Customer with existing AT&T VPN and Salesforce subscription

3

The next few slides will provide an overview of a typical service activation. In this example, our customer has their network configured through AT&T VPN using BGP Autonomous Systems 65100 and 65200. They have existing an existing Salesforce subscription in place.

Customer Network

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter

Customer Edge RouterASN 65200


ASN 13979

SalesforceASN 14340



4

Step 1 – Create Virtual Network Connection (VNC)

Using the AT&T Cloud Services Portal, our customer creates a new virtual network connection. At the designated region, NetBond orchestration enables our customer’s private network at the AT&T routers in front of a virtual Network Address Translation, (vNAT), device. In addition, our customer chooses a minimum bandwidth commitment for the virtual network connection.

Customer Network

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter



AT&T Routers

SalesforceRouters

ASN 13979

SalesforceASN 14340AT&T

NetBond

vNAT



5

Step 2 – Create VLAN

With a /29 address block from their enterprise IP space, our customer creates a VLAN within the VNC. NetBond orchestration provisions a pair of connections between the virtual routing interface on the AT&T routers and the vNAT device providing networkaddress translation. The /29 space is automatically provisioned as two /30 subnets.

NetBond orchestration also provisions a second MPLS VPN between the vNAT device and AT&T routers collocated within Salesforce. AT&T public address space is applied along the path between the vNAT device and Salesforce.

Customer Network

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter



AT&T Routers

SalesforceRouters

ASN 13979

SalesforceASN 14340

10.20.10.0/30

.1

VLAN_Salesforce_East10.20.10.0/29

10.20.10.4/30

.5

.2

.6

AT&TNetBond

vNAT

Customer Private IP Source Addresses NAT to AT&T Registered IP Addresses

192.0.2.0/24198.51.100.0/24



6

Step 2 – Create VLAN (cont.)

Customer Network

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter



AT&T Routers

SalesforceRouters

ASN 13979

SalesforceASN 14340

After a few minutes, the two /30’s and all Salesforce public route announcements will appear in the customer edge route tables. All traffic destined to Salesforce will traverse the AT&T VPN to NetBond where the original source IP address will be translated to AT&T public IP addresses before being forwarded to Salesforce.

10.20.10.0/30

.1


10.20.10.4/30

.5

.2

.6

AT&TNetBond

vNAT


192.0.2.0/24198.51.100.0/24

Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I192.0.2.0/24 13979 14340 I198.51.100.0/24 13979 14340 I172.16.0.0/24 I172.16.1.0/24 13979 65200 I



7

Sandbox Environments

If our customer knows the IP address of test, “sandbox” environments, they can configure NetBond to only announce specific routes. In this situation, the AT&T routers will filter all route announcements from Salesforce to the MPLS network. Instead the AT&T routers will only announce the portal specified routes to the MPLS VPN.

Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I198.51.100.9/32 13979 I192.0.2.0/24 13979 14340 I198.51.100.0/24 13979 14340 I172.16.0.0/24 I172.16.1.0/24 13979 65200 I

Customer Network

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter



AT&T Routers

SalesforceRouters

ASN 13979

SalesforceASN 14340

10.20.10.0/30

.1


10.20.10.4/30

.5

.2

.6

AT&TNetBond

vNAT


192.0.2.0/24198.51.100.0/24 Test Application

198.51.100.9



Integration with On-Premises Environments with Reverse Flows



9

Caution: Integration with On-Premises Environments

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter

ASN 13979

AT&TNetBond

vNAT


Internet Source: 192.0.2.23Destination: 203.0.113.45

Source: 203.0.113.45Destination: 192.0.2.23 Source: 32.x.x.x

Destination: 192.0.2.23

To integrate Salesforce with on-premises hosts such as database servers or non-SAML authentication servers, it is important to account for flows initiated by Salesforce to our customer network. If only a “forward” vNAT is configured, sessions initiated by Salesforce to our customer’s premise will continue over the Internet, but the response will follow the Salesforce specific routeannouncement via NetBond resulting in an asymmetrical routing failure.

Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I192.0.2.0/24 13979 14340 I198.51.100.0/24 13979 14340 I172.16.0.0/24 I

On-Premise ServerPublic: 203.0.113.45

SalesforceASN 14340

192.0.2.0/24198.51.100.0/24



10

Option 1: NetBond Reverse NAT for Salesforce Integration with On-Premises Environments

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter

ASN 13979

Using the AT&T Cloud Portal, our customer creates a reverse NAT rule. They provide an additional /29 for the new vNAT device aswell as a public IP registered with the company via a Regional Internet Registry, (RIR). Our customer also supplies translated source and destination IP addresses from their enterprise address space. AT&T will change the Salesforce source address to the customer’s specified “Translated Source”. The public IP address supplied as the “Original Destination” can be changed to a customer specified “Translated Destination” or left unchanged.

Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I192.0.2.0/24 13979 14340 I198.51.100.0/24 13979 14340 I10.20.30.9/32 13979 I172.16.0.0/24 I

Source: 192.0.2.23Destination: 203.0.113.45


Route ASPath203.0.113.45/32 13979 I32.x.x.x/32 13979 I192.0.2.0/24 I198.51.100.0/24 I

On-Premise ServerPublic: 203.0.113.45Private: 172.16.0.19

203.0.113.45/32

32.x.x.x/32

10.20.10.0/3010.20.10.4/30

10.20.30.4/3010.20.30.0/30

10.20.30.9/32

Direct Subnet Original Destination Translated Source Translated Destination

10.20.30.0/29 203.0.113.45/32 10.20.30.9/32 172.16.0.19/32

NetBond Reverse NAT Rule

SalesforceASN 14340

192.0.2.0/24198.51.100.0/24



11

Public IP Address Validation for NetBond Reverse NAT

Prior to creation of the NetBond reverse NAT rule, the public IP address must be verified by AT&T through the associated Regional Internet Registry. During the onboarding session, we will validate this public IP. If a new public IP is needed in the future, validation will occur within two business days after submission on the AT&T Cloud Portal.

Example

Subnet Name: Database_Server

IP Subnet: 203.0.113.45/32

Subnet Type: Public

ASN: Origin AS Associated with IP Address

RIR: ARIN



12

Option 2: DMZ Architecture for Salesforce Integration with On-Premises Environments

AT&TVPN

ASN 13979

AT&TNetBond

vNAT

DMZ203.0.113.45

Customer Network

If the on-premise server is located in a DMZ where the firewall does not learn dynamic routing updates from AT&T, our customer can choose to keep the reverse flow on the Internet without any need for AT&T reverse NAT. Because the firewall does not dynamically learn Salesforce routes from NetBond, it will continue to send replies to Salesforce via its default gateway.

Route Target10.20.10.0/30 AT&T VPN10.20.10.4/30 AT&T VPN192.0.2.0/24 AT&T VPN198.51.100.0/24 AT&T VPN203.0.113.45 Firewall172.16.0.0/24 Internal

Route Target0.0.0.0/0 Internet172.16.0.0/12 Internal203.0.113.0/24 DMZ



SalesforceASN 14340

192.0.2.0/24198.51.100.0/24



13

Option 3: Firewall Reverse NAT for Salesforce Integration with On-Premises Environments

AT&TVPN

ASN 13979

AT&TNetBond

vNAT172.16.0.19

Customer Network

If our customer wishes to keep the reverse flow over the Internet, but the on-premise host resides in a network that learns routes dynamically from AT&T, they can create a NAT rule on their Internet-facing firewall. The NAT rule must change the original Salesforce address in the source field to an internal IP address so that the enterprise routers route the responses back to the firewall.



Original Source Original Destination Translated Source Translated Destination

Any 203.0.113.45/32 192.168.15.9/32 172.16.0.19/32

Firewall Reverse NAT Rule

Route Target10.20.10.0/30 AT&T VPN10.20.10.4/30 AT&T VPN192.0.2.0/24 AT&T VPN198.51.100.0/24 AT&T VPN192.168.15.0/24 Firewall172.16.0.0/24 Internal


SalesforceASN 14340

192.0.2.0/24198.51.100.0/24



Next Steps



15

Summary Steps

1. Obtain Salesforce subscription.

2. Work with the AT&T account team to sign up for NetBond services. A welcome letter will provide credentials to AT&T Cloud Services Portal, (www.synaptic.att.com)

3. Identify any “reverse” flows required for integration with on premise hosts. Submit public IP addresses for authorization.

4. Create NetBond Virtual Network Connection (Required: Name of AT&T VPN, region, free-form name for Virtual Network Connection, and minimum bandwidth commitment.)

5. Create NetBond VLAN (Required: /29 address space and free-form name.)

6. Create the reverse NAT rules. (Required: /29 address space, authorized public IP address, translated source IP address, and translated destination IP address.)

http://www.synaptic.att.com/



16

What’s Next After Activation? Confirming Connectivity

1. After successfully creating your Virtual Network Connection (VNC) and VLAN, we want to confirm basic network connectivity to Salesforce.

2. To confirm traffic is routing over NetBond, please do a traceroute to a Salesforce destination to verify it is reaching your NetBond VLAN IP address.

3. To confirm connectivity with Salesforce, we ask that you perform a simple test such as accessing https://login.salesforce.com.

4. After basic connectivity is confirmed, we ask that you take the following five business days to test your applications over NetBond. Our Client Technical Lead, (CTL) is available to assist during this time if you have any questions or concerns, and they can be reached at [email protected].

5. After five business days, our cloud support team is available 24x7 to provide technical support and answer any questions. In addition, if you run into an emergency over these next five days, please open a ticket in the Cloud Portal to engage our cloud support team.

https://login.salesforce.com/

mailto:[email protected]



17

VNC Itemized Billing

If a customer requires internal cost allocation for additional Cloud Provider connections along with Salesforce, they will need to establish individual subaccounts during initial VNC creation. This will provide itemized billing on the invoice.

Considerations• Users that need access to all subaccounts should be configured as Enterprise

Managers• Usage Notification Alerts are per subaccount.• Portal Reporting is per subaccount.• NetBond features that are in controlled introduction would require an AT&T Cloud

Portal trouble ticket. You will need to create the subaccount first so that AT&T can complete the service ticket request.

• Once a VNC is created under one subaccount, it cannot be migrated to another subaccount. It must be rebuilt in the new subaccount which will result in downtime.

service activation overview - at&t cloud solutions · 2019. 10. 2. · using the at&t cloud...

Documents