service activation overview - at&t cloud solutions · 2019. 10. 2. · using the at&t cloud...
TRANSCRIPT
© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property
and/or AT&T affiliated companies. Salesforce marks are the trademarks and service marks of Salesforce. All other marks contained herein are the property of their respective owners. The
information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change..
AT&T NetBond® for Salesforce®
Service Activation Overview
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
AT&T NetBond allows AT&T customers to extend their MPLS virtual private network to cloud services such as Salesforce. With NetBond enabled, the Salesforce service will appear as another site on the VPN. Customers can then reach their Salesforce applications with better scalability, improved security, and greater availability.
Using the AT&T Cloud Services Portal, the NetBond service can be quickly provisioned. The next few slides provide an overview to plan and enable the service.
Prior to enablement, the customer should have or procure a Salesforce subscription. They should also work with the AT&T account team to sign up for NetBond cloud services. Upon contract signing, the customer will receive a welcome email for credentials to www.synaptic.att.com.
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
Example Scenario – Customer with existing AT&T VPN and Salesforce subscription
3
The next few slides will provide an overview of a typical service activation. In this example, our customer has their network configured through AT&T VPN using BGP Autonomous Systems 65100 and 65200. They have existing an existing Salesforce subscription in place.
Customer Network
AT&TVPN
Provider EdgeRouter
Provider EdgeRouter
Customer Edge RouterASN 65200
Customer Edge RouterASN 65100
ASN 13979
SalesforceASN 14340
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
4
Step 1 – Create Virtual Network Connection (VNC)
Using the AT&T Cloud Services Portal, our customer creates a new virtual network connection. At the designated region, NetBond orchestration enables our customer’s private network at the AT&T routers in front of a virtual Network Address Translation, (vNAT), device. In addition, our customer chooses a minimum bandwidth commitment for the virtual network connection.
Customer Network
AT&TVPN
Provider EdgeRouter
Provider EdgeRouter
Customer Edge RouterASN 65200
Customer Edge RouterASN 65100
AT&T Routers
SalesforceRouters
ASN 13979
SalesforceASN 14340AT&T
NetBond
vNAT
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
5
Step 2 – Create VLAN
With a /29 address block from their enterprise IP space, our customer creates a VLAN within the VNC. NetBond orchestration provisions a pair of connections between the virtual routing interface on the AT&T routers and the vNAT device providing networkaddress translation. The /29 space is automatically provisioned as two /30 subnets.
NetBond orchestration also provisions a second MPLS VPN between the vNAT device and AT&T routers collocated within Salesforce. AT&T public address space is applied along the path between the vNAT device and Salesforce.
Customer Network
AT&TVPN
Provider EdgeRouter
Provider EdgeRouter
Customer Edge RouterASN 65200
Customer Edge RouterASN 65100
AT&T Routers
SalesforceRouters
ASN 13979
SalesforceASN 14340
10.20.10.0/30
.1
VLAN_Salesforce_East10.20.10.0/29
10.20.10.4/30
.5
.2
.6
AT&TNetBond
vNAT
Customer Private IP Source Addresses NAT to AT&T Registered IP Addresses
192.0.2.0/24198.51.100.0/24
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
6
Step 2 – Create VLAN (cont.)
Customer Network
AT&TVPN
Provider EdgeRouter
Provider EdgeRouter
Customer Edge RouterASN 65200
Customer Edge RouterASN 65100
AT&T Routers
SalesforceRouters
ASN 13979
SalesforceASN 14340
After a few minutes, the two /30’s and all Salesforce public route announcements will appear in the customer edge route tables. All traffic destined to Salesforce will traverse the AT&T VPN to NetBond where the original source IP address will be translated to AT&T public IP addresses before being forwarded to Salesforce.
10.20.10.0/30
.1
VLAN_Salesforce_East10.20.10.0/29
10.20.10.4/30
.5
.2
.6
AT&TNetBond
vNAT
Customer Private IP Source Addresses NAT to AT&T Registered IP Addresses
192.0.2.0/24198.51.100.0/24
Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I192.0.2.0/24 13979 14340 I198.51.100.0/24 13979 14340 I172.16.0.0/24 I172.16.1.0/24 13979 65200 I
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
7
Sandbox Environments
If our customer knows the IP address of test, “sandbox” environments, they can configure NetBond to only announce specific routes. In this situation, the AT&T routers will filter all route announcements from Salesforce to the MPLS network. Instead the AT&T routers will only announce the portal specified routes to the MPLS VPN.
Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I198.51.100.9/32 13979 I192.0.2.0/24 13979 14340 I198.51.100.0/24 13979 14340 I172.16.0.0/24 I172.16.1.0/24 13979 65200 I
Customer Network
AT&TVPN
Provider EdgeRouter
Provider EdgeRouter
Customer Edge RouterASN 65200
Customer Edge RouterASN 65100
AT&T Routers
SalesforceRouters
ASN 13979
SalesforceASN 14340
10.20.10.0/30
.1
VLAN_Salesforce_East10.20.10.0/29
10.20.10.4/30
.5
.2
.6
AT&TNetBond
vNAT
Customer Private IP Source Addresses NAT to AT&T Registered IP Addresses
192.0.2.0/24198.51.100.0/24 Test Application
198.51.100.9
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
Integration with On-Premises Environments with Reverse Flows
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
9
Caution: Integration with On-Premises Environments
AT&TVPN
Provider EdgeRouter
Provider EdgeRouter
ASN 13979
AT&TNetBond
vNAT
Customer Private IP Source Addresses NAT to AT&T Registered IP Addresses
Internet Source: 192.0.2.23Destination: 203.0.113.45
Source: 203.0.113.45Destination: 192.0.2.23 Source: 32.x.x.x
Destination: 192.0.2.23
To integrate Salesforce with on-premises hosts such as database servers or non-SAML authentication servers, it is important to account for flows initiated by Salesforce to our customer network. If only a “forward” vNAT is configured, sessions initiated by Salesforce to our customer’s premise will continue over the Internet, but the response will follow the Salesforce specific routeannouncement via NetBond resulting in an asymmetrical routing failure.
Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I192.0.2.0/24 13979 14340 I198.51.100.0/24 13979 14340 I172.16.0.0/24 I
On-Premise ServerPublic: 203.0.113.45
SalesforceASN 14340
192.0.2.0/24198.51.100.0/24
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
10
Option 1: NetBond Reverse NAT for Salesforce Integration with On-Premises Environments
AT&TVPN
Provider EdgeRouter
Provider EdgeRouter
ASN 13979
Using the AT&T Cloud Portal, our customer creates a reverse NAT rule. They provide an additional /29 for the new vNAT device aswell as a public IP registered with the company via a Regional Internet Registry, (RIR). Our customer also supplies translated source and destination IP addresses from their enterprise address space. AT&T will change the Salesforce source address to the customer’s specified “Translated Source”. The public IP address supplied as the “Original Destination” can be changed to a customer specified “Translated Destination” or left unchanged.
Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I192.0.2.0/24 13979 14340 I198.51.100.0/24 13979 14340 I10.20.30.9/32 13979 I172.16.0.0/24 I
Source: 192.0.2.23Destination: 203.0.113.45
Source: 10.20.30.9Destination: 172.16.0.19
Route ASPath203.0.113.45/32 13979 I32.x.x.x/32 13979 I192.0.2.0/24 I198.51.100.0/24 I
On-Premise ServerPublic: 203.0.113.45Private: 172.16.0.19
203.0.113.45/32
32.x.x.x/32
10.20.10.0/3010.20.10.4/30
10.20.30.4/3010.20.30.0/30
10.20.30.9/32
Direct Subnet Original Destination Translated Source Translated Destination
10.20.30.0/29 203.0.113.45/32 10.20.30.9/32 172.16.0.19/32
NetBond Reverse NAT Rule
SalesforceASN 14340
192.0.2.0/24198.51.100.0/24
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
11
Public IP Address Validation for NetBond Reverse NAT
Prior to creation of the NetBond reverse NAT rule, the public IP address must be verified by AT&T through the associated Regional Internet Registry. During the onboarding session, we will validate this public IP. If a new public IP is needed in the future, validation will occur within two business days after submission on the AT&T Cloud Portal.
Example
Subnet Name: Database_Server
IP Subnet: 203.0.113.45/32
Subnet Type: Public
ASN: Origin AS Associated with IP Address
RIR: ARIN
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
12
Option 2: DMZ Architecture for Salesforce Integration with On-Premises Environments
AT&TVPN
ASN 13979
AT&TNetBond
vNAT
DMZ203.0.113.45
Customer Network
If the on-premise server is located in a DMZ where the firewall does not learn dynamic routing updates from AT&T, our customer can choose to keep the reverse flow on the Internet without any need for AT&T reverse NAT. Because the firewall does not dynamically learn Salesforce routes from NetBond, it will continue to send replies to Salesforce via its default gateway.
Route Target10.20.10.0/30 AT&T VPN10.20.10.4/30 AT&T VPN192.0.2.0/24 AT&T VPN198.51.100.0/24 AT&T VPN203.0.113.45 Firewall172.16.0.0/24 Internal
Route Target0.0.0.0/0 Internet172.16.0.0/12 Internal203.0.113.0/24 DMZ
Source: 192.0.2.23Destination: 203.0.113.45
Source: 203.0.113.45Destination: 192.0.2.23
SalesforceASN 14340
192.0.2.0/24198.51.100.0/24
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
13
Option 3: Firewall Reverse NAT for Salesforce Integration with On-Premises Environments
AT&TVPN
ASN 13979
AT&TNetBond
vNAT172.16.0.19
Customer Network
If our customer wishes to keep the reverse flow over the Internet, but the on-premise host resides in a network that learns routes dynamically from AT&T, they can create a NAT rule on their Internet-facing firewall. The NAT rule must change the original Salesforce address in the source field to an internal IP address so that the enterprise routers route the responses back to the firewall.
Source: 192.0.2.23Destination: 203.0.113.45
Source: 172.16.0.9Destination: 192.168.15.9
Original Source Original Destination Translated Source Translated Destination
Any 203.0.113.45/32 192.168.15.9/32 172.16.0.19/32
Firewall Reverse NAT Rule
Route Target10.20.10.0/30 AT&T VPN10.20.10.4/30 AT&T VPN192.0.2.0/24 AT&T VPN198.51.100.0/24 AT&T VPN192.168.15.0/24 Firewall172.16.0.0/24 Internal
Source: 192.168.15.9Destination: 172.16.0.19
SalesforceASN 14340
192.0.2.0/24198.51.100.0/24
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
Next Steps
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
15
Summary Steps
1. Obtain Salesforce subscription.
2. Work with the AT&T account team to sign up for NetBond services. A welcome letter will provide credentials to AT&T Cloud Services Portal, (www.synaptic.att.com)
3. Identify any “reverse” flows required for integration with on premise hosts. Submit public IP addresses for authorization.
4. Create NetBond Virtual Network Connection (Required: Name of AT&T VPN, region, free-form name for Virtual Network Connection, and minimum bandwidth commitment.)
5. Create NetBond VLAN (Required: /29 address space and free-form name.)
6. Create the reverse NAT rules. (Required: /29 address space, authorized public IP address, translated source IP address, and translated destination IP address.)
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
16
What’s Next After Activation? Confirming Connectivity
1. After successfully creating your Virtual Network Connection (VNC) and VLAN, we want to confirm basic network connectivity to Salesforce.
2. To confirm traffic is routing over NetBond, please do a traceroute to a Salesforce destination to verify it is reaching your NetBond VLAN IP address.
3. To confirm connectivity with Salesforce, we ask that you perform a simple test such as accessing https://login.salesforce.com.
4. After basic connectivity is confirmed, we ask that you take the following five business days to test your applications over NetBond. Our Client Technical Lead, (CTL) is available to assist during this time if you have any questions or concerns, and they can be reached at [email protected].
5. After five business days, our cloud support team is available 24x7 to provide technical support and answer any questions. In addition, if you run into an emergency over these next five days, please open a ticket in the Cloud Portal to engage our cloud support team.
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.
17
VNC Itemized Billing
If a customer requires internal cost allocation for additional Cloud Provider connections along with Salesforce, they will need to establish individual subaccounts during initial VNC creation. This will provide itemized billing on the invoice.
Considerations• Users that need access to all subaccounts should be configured as Enterprise
Managers• Usage Notification Alerts are per subaccount.• Portal Reporting is per subaccount.• NetBond features that are in controlled introduction would require an AT&T Cloud
Portal trouble ticket. You will need to create the subaccount first so that AT&T can complete the service ticket request.
• Once a VNC is created under one subaccount, it cannot be migrated to another subaccount. It must be rebuilt in the new subaccount which will result in downtime.
NetBond Service Activation Overview for Salesforce
© 2017 AT&T Intellectual Property. All rights reserved.