Building a scalable RAVPN architecture in Oracle Cloud Infrastructure using Cisco Secure Firewall
Oracle Cloud Infrastructure (OCI) provides a wide range of cloud-computing services, workloads, and applications to organizations globally. With Cisco Secure Firewall, organizations are able to build a scalable RAVPN architecture on OCI, providing employees secure remote access to their organization’s resources from any location or endpoint.
This scalable architecture brings together Cisco Security and OCI Infrastructure-as-a-service (IaaS) and extends remote access VPN capabilities with the combination of Cisco Duo, Cisco Umbrella, and AMP Enabler, also known as Cisco Secure Remote Worker. Extending this solution to your OCI environment protects multi-region, multi-availability domains.
- Cisco AnyConnect Secure Mobility Client – Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization.
- Cisco Duo – Multi-factor authentication from Duo protects the network by using a second source of validation and authentication.
- Cisco Umbrella Roaming Security Module – Cisco Umbrella Roaming Security module for Cisco AnyConnect provides always-on security on any network, anywhere, any time — both on and off your corporate VPN. It enforces security at the DNS layer to block malware, phishing, and command and control callbacks over any port.
- Cisco AnyConnect AMP Enabler – Cisco AnyConnect AMP Enabler module protects against malware.
Organizations can deploy Cisco Secure Firewall Threat Defense Virtual (formerly FTDv/NGFWv) and Cisco Secure Firewall ASA Virtual (formerly ASAv) in the OCI environment to enable a secure connection back to the application in the cloud. Traditionally, firewalls scale using clustering but, in the cloud, due to abstraction of layer-2, it is not possible to implement native high-availability and native firewall clustering.
Architects can still design a scalable architecture using cloud components like Oracle’s Network Load Balancer (NLB) and DNS.
- Design 1 – Load balance RAVPN sessions to multiple firewalls using OCI DNS service
- Design 2 – Load balance RAVPN sessions to multiple Cisco Secure Firewalls using OCI network load balancer service
- Design 3 – Load balance RAVPN sessions across multiple regions using OCI DNS and a network load balancer
Note: Each firewall uses a unique VPN pool, and the OCI route table points to the respective firewall for the VPN pool.
Load balance RAVPN sessions to multiple firewalls using OCI DNS service
In this architecture, we have deployed multiple firewalls in multi-availability domains. OCI DNS service provides a mechanism for RAVPN load balancing.
- DNS provides an FQDN (example.vpn.com)
- DNS has “A” record for each firewall
- DNS monitors the health of each firewalls using probes
- DNS receives DNS query for FQDN and replies with the public IP address of the Cisco Secure Firewall
- The user connects directly to Cisco Secure Firewall
Load balance RAVPN sessions to multiple Secure Firewall virtual appliances using OCI network load balancer service
In this architecture, we have deployed multiple firewalls in multi-availability domains. OCI NLB provides a mechanism for RAVPN load balancing.
- The user uses the IP address of a load balancer as a VPN headend in AnyConnect client.
- OCI NLB received an SSL VPN session request, and it load-balances the request using two tuple load hashing.
- The user connects to Cisco Secure Firewall.
Load balance RAVPN sessions across multiple regions using OCI DNS and a network load balancer
In this architecture, we have deployed multiple firewalls in multi-availability domains and multi-regions. OCI NLB and DNS provide a mechanism for RAVPN load balancing.
- At the region level, OCI NLB load balances traffic using two tuple load balancing (same as Figure 2)
- At the multi-region level, OCI DNS load balances traffic using DNS weighted average (same as Figure 1)
- DNS provides an FQDN (example.vpn.com)
- DNS has “A” record for each firewall
- DNS monitors the health of OCI LB
- DNS receives DNS query for FQDN and replies with the public IP address of OCI NLB
- User connects to OCI NLB, NLB load balances SSL VPN session based on two tuple load balancing method.
Additional resources
Cisco Secure Firewall Threat Defense Virtual data sheet
Cisco Secure Firewall ASA Virtual data sheet
Video: Scalable RAVPN architecture for Oracle Cloud using Cisco Secure Firewall
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: