Together Wi-Fi 6 and 5G Will Bring a Huge Wave of Innovation

Source: Cisco

The rollout of better connectivity with 5G and Wi-Fi 6 is a once-in-a-generation gamechanger and I predict an explosion of innovation as a result. We’ve seen it before; when connectivity improves there is an accompanying wave of new products, services and experiences in all of the adjacent industries; and in networking, that’s a lot! The difference between the upcoming wave of innovation and the one we experienced with 4G and LTE is ‘who will be leading the charge’.

4G revolutionized the consumer experience, providing the wireless foundation for the invention of the smartphone putting the internet into our pockets. The introduction of the smartphone then prompted the development of millions of apps that we access multiple times a day to share photos, find a restaurant, pay bills and accomplish virtually any task or access any service from the palm of our hand. Now, we live with our smartphones always within arm’s reach and demand faster and more reliable connectivity as we use the multitude of services on our device. It has been the individual consumer that has forced businesses – and even entire industries – to adapt.

5G and Wi-Fi 6 represent the next major leap in connectivity.

Hate when you’re at a concert or sporting event and can’t immediately post a video to your story or get a message to a friend, or when you move to a far corner of the office and lose internet access? That’s because today’s wireless access points and 4G cells can’t handle the number of devices trying to connect simultaneously. Wi-Fi 6 delivers up to 400% greater capacity and is far more effective in crowded settings. Latency is also reduced allowing faster posting, downloads and loading of apps or webpages. This improved connection will also be less draining on connected device’s batteries making them up to four times more power efficient.

 The 4G era brought the digital and physical worlds together through a consumer device – the smartphone. This caused massive disruption, as more than one industry found itself completely transformed because consumers could connect and share information in new ways. Many businesses resisted this change until they were forced to adapt, not because of a business opportunity but purely to survive.

The Wi-Fi 6 evolution will be different. As Wi-Fi 6 will reach maturity much quicker than 5G, it will be the enterprise having the opportunity to drive innovation. And they are hungry to do so, as many businesses have figured out how a digital experience can a be a differentiator. They also have more to work with. Lights, fridges, footballs and grapevines are all becoming connected, meaning we can view the world through an entirely new, digital lens. Whether to make operations safe and more efficient, or to offer consumers a more personalized experience, we’ll see companies embrace this transition – not resist it.

The exciting part of all of this is we still don’t know exactly what use cases and applications are going to emerge. That said, I do believe that Wi-Fi 6 will drive innovation in two main areas:

  • immersive experiences
  • IoT at scale

Imagine if students could gain entirely new understanding of past events by reliving them through virtual reality. I’m sure experiencing a Martin Luther King or Abraham Lincoln speech as if you’re there makes for a more lasting impression on a student. Or a surgeon being able to take detailed scans of a patient and practicing a procedure in virtual reality before ever making a cut. A warehouse can be outfitted with millions of sensors to allow autonomous electric robots and vehicles to fulfill orders and ship products almost instantaneously. All of this becomes possible with Wi-Fi 6’s increased bandwidth and lower latency.

Wired for Wireless

Wi-Fi 6 and 5G offer enormous opportunities for productivity and innovation, but successfully adopting these technologies at scale will be a challenge. These innovations will increase business mobile traffic up to seven times by 2022 and the number of IoT devices will increase to the billions. This makes security more complicated and critical and puts intense pressure on IT to manage and secure a constantly growing network. The businesses that can successfully address each of these challenges will be the ones that thrive in the new wireless era.

Cisco has been re-architecting the network to meet these challenges and unveiled its intent-based networking portfolio to prepare customers for this wireless-first world. With a software-focused approach, the network unlocks data and insights that will enable IT to support the business in real-time. It automates routine tasks and embeds security into the network itself. These efforts are helping customers and consumers capitalize on the opportunities Wi-Fi 6 and 5G offer, while ensuring security and the best user experience in an increasingly connected world.

Cisco also completed Wi-Fi 6 connection tests with Intel and Samsung to address the inevitable issues that come with a new standard. New Wi-Fi 6 access points across Cisco’s Catalyst and Meraki portfolios offer custom, programmable chipsets and access to industry-leading analytics capabilities for businesses. These new APs deliver a more secure wireless network and can communicate with multiple IoT protocols, including BLE, Zigbee and Thread.

We’re also introducing a new core switch for the campus network. For 20 years, the Catalyst 6000 family of switches have served as the very foundation of many customer campus network. It has been one of the most successful, innovative networking products in the history of the Internet. But businesses today require a networking foundation that is built to solve the challenges posed by our new wireless-first world. The new Catalyst 9600 core switch will do just that and will be the foundation for our customer campus networks for many years into the future.

An explosion of innovation is coming. Is your business ready to lead the charge?

 


Together Wi-Fi 6 and 5G Will Bring a Huge Wave of Innovation

Cisco Welcomes Stella Low as SVP and Chief Communications Officer

Source: Cisco

Every company today is going through a transformation and Cisco is no different. I believe that what has helped us throughout has been the power of communications – frequent, authentic and transparent communications. This principle is incredibly important to me both internally and externally and has served us well. I am incredibly proud of what our teams have accomplished for our customers and communities around the world, and we are honored to share the work that we do.

Today, I was thrilled to announce to the Cisco team that Stella Low will be joining Cisco as our new SVP and Chief Communications Officer. Stella is an exceptional communicator and leader and will serve as a member of my Executive Leadership Team. Given the strategic importance of communications in this digital age and our belief in transparency, how and when we share our story will be a key factor in our future, the success of our customers, and the impact we will have around the world.

Below is the note I shared with our team at Cisco. I am so honored to welcome Stella to the team.

—————————————————————————————————————————————————–

Hi Team,

You’ve heard me say many times how proud I am of what we have accomplished together over the past few years. We have driven game-changing innovation for our customers, evolved our business model and made Cisco a top place to work all around the world. We have an incredible story – shaped by all of you – which is why I’m excited to welcome Stella Low, our new SVP and Chief Communications Officer (CCO), to Cisco and my Executive Leadership Team.

I’m particularly excited for Stella to join our team, not only because of her breadth of expertise in technology communications, but also for her passion for great storytelling, building strong communities and her inclusive, solutions-oriented approach. She knows that the best teams are diverse teams that come together to drive business results and success for our people.

Stella joins us most recently from Dell Technologies where she served as SVP and head of global communications after Dell’s acquisition of EMC. She had previously served as EMC’s head of communications and, prior to that, led EMEA PR and Communications for EMC. She has held various marketing and communications roles in both large and small companies as well as founded her own communications firm.

As our new CCO, Stella will be responsible for shaping our story and reputation in the market. She and the communications team will drive one connected story spanning our business, our technology and our culture with an emphasis on simplicity and innovation. It is critical that we are able to share our strategy and our story both internally and externally, and Stella will be focused on impactful ways to share the great work that we do.

Originally from the UK, Stella has been working her way west. After moving from London to Boston six years ago, Stella and her husband and daughter are relocating to the Bay Area along with their two toy poodles, Pebbles and Bam Bam.

I’m thrilled that Stella will be joining us starting today. I am confident she will be an incredibly valuable member of our team and I look forward to her expertise and counsel. Please join me in welcoming Stella to Cisco, and thank you, as always, for all that you do for Cisco!

Chuck

 


Cisco Welcomes Stella Low as SVP and Chief Communications Officer

Unplugged and Uninterrupted: What’s Driving Networking Today

Source: Cisco

Offices. Hospitals. Factories. Hotels. Universities. Sports arenas. In my job, I talk to the people around the world who run technology for all of these types of operations. They tell me that more wireless devices than ever are joining their networks, and that if they have no Wi-Fi, they have no business. Without a network that’s up 24/7, a hospital’s critical medical device might not function. A robot in a warehouse won’t be able to receive commands and a critical process will grind to a halt. A point of sale tablet in a stadium won’t be able to process a fan’s purchase, and perishable demand will be lost.

The network, in short, is critical infrastructure. And the kind of network we’re relying on is changing. In the past, for devices that needed constant connectivity, we’d wire them to our core. Today, our critical devices are just as likely to be wireless: the cart with medical equipment, the roving inventory-picker robot, the handheld ticket scanner. These devices can no longer connect using “best effort” wireless as they might have in the past. The wireless network has to be as rock-solid as wired. It has to provide uninterrupted and unplugged access for users and devices.

Businesses need their IT professionals to understand these issues today, as well as challenges they will be facing in the near future. Having planners who see into the future is one key way businesses stay agile and competitive. So when I speak with IT professionals we often discuss the need to plan for a few key trends.

Trend 1: Expanding Number of Devices Connected

It’s not just that every employee of a business has a device (or two) that they connect to our networks. Today, every single person visiting a business comes with several devices, and the number of devices per person (phone, watch, headphones) continues to grow.

But that’s just the tip of the iceberg. Everything today is getting connected. From light bulbs to medical diagnostic equipment, there is hardly a single new piece of infrastructure that is not connected today, or that won’t be tomorrow. IT staffs are not getting larger to match this growth. For IT to provide uninterrupted connectivity to all these devices, simplicity is the key to scaling up.

Trend 2: Reliability and Security

As much as businesses are eager to adopt the latest technology in their business, the networks must be reliable and safe – all the time, no matter the situation. And the more connections we open up, the more exposure a network has. The major security threats today are also different from what we were protecting from just a few years ago. Today, data theft isn’t the only challenge. We need to protecting networks and devices from outright sabotage. Ransomware is now used to take down businesses. The impact can be brutal. The NotPetya attack cost businesses over $10 billion in 2017, and some of the hardest-hit companies were completely compromised in under four minutes.

Additionally, the bulk of incremental devices landing on the network are unmanaged, not laptops or phones that are managed by IT. This means classical pieces of the security kill chain – endpoint tools such as antivirus software, MDM (Mobile Device Management), and EDR (Endpoint Detection and Response) – don’t come into play. The increase in device and OS diversity can also lead to a dramatic rise in alerts from legacy network security tools, making them essentially ineffective for SecOps departments already suffering from alert fatigue. Finally, unmanaged devices can also be weaponized by attackers; they’re often highly vulnerable to botnets, like Mirai, which continue to rapidly evolve.

Trend 3: Immersive and Real-time Computing

The way we interact with technology is evolving, too. Since computing first became part of business, we have moved from batch processing, to command lines, to interactive experiences on our computers and handheld devices. We are now moving into the era of truly immersive computing, in which users will expect real-time and high definition imagery as part of the interface. This means not just pervasive use of high definition collaboration tools (like Cisco’s own Telepresence products) but also expanded use of augmented reality and virtual reality in a variety of business applications. These applications need both high bandwidth and ultra-low latency for their real-time experiences. The same goes for machines that are making real time decisions. Increasingly the expectation is that all of this is achievable over both wired and wireless networks.

Our networks need to support new levels of speed, reliability, and scale. That’s what we’ve been building. We have been working hard on our entire suite of networking products, from Wi-Fi ASICs to core switches, to our software fabric that ties it all together. We believe that when you can work with the network holistically, and not just as series of parts connected through patchwork, you can raise the value of networking and business overall.

The fundamentals of network design in the coming years are anchored in three architectural principles to serve the needs I outlined above. These design points are: Wireless First; Cloud Driven; and Data Optimized.

Wireless First

Every part of our networking stack has to be built for always-on wireless. This means that the entire network, from switch to device, needs to be built to support full-time, uninterrupted access for all users. High-availability systems need to be everywhere, not just in the core of the campus network. Technology like cold and hot patching, perpetual POE, non-stop forwarding (NSF), automated rapid and rolling upgrades, and much more need to be built into every applicable layer of the campus and branch network.

Building wireless-first networks means we no longer think of wired and wireless as two distinct systems. We need to consider the impact of wireless technologies – like new Wi-Fi 6 access points that support four times the bandwidth of current models – at the same time as we plan our wired systems. Wireless, of course, aggregates to wired, and the wired network must also evolve. Technology like multi-gigabit ethernet must be driven into the access layer, which in turn drives higher bandwidth needs at the aggregation and core layers.

Even more importantly, to securely connect and protect the flood of managed and unmanaged devices on our networks, and to manage it all, we must treat the network as a one single software-defined fabric. This allows us to segment the network, and make sure that if one device gets infected by malware it cannot easily spread to other devices.

Cloud-Driven

The cloud has helped businesses achieve great feats at grand scales. It offers the same potential for network management and efficiency.

A cloud-driven network infrastructure provides new capabilities to on-prem network equipment, most importantly by giving your the network access to the continuous improvement inherent in cloud services. When we leverage the cloud we can transform how we operate a network, with better support, better IT processes, and by applying data insights.

Cloud-driven network management also lets Cisco work alongside IT pros. We can work proactively and in real-time when there are issues to address, instead of waiting for a support call. Insights that we gather from cloud-driven peer networks globally enables us to act more dynamically to keep networks functioning at peak efficiency – and makes dynamic, business-led improvements easier as well.

This architectural principle gives IT pros a lot of flexibility. Enterprises can choose what data they share; whether their controller and management layers are on-prem or off; and they can choose how they engage with us for support and consultation.

Data-Optimized

We can use the data and analytics from our networks not just to improve our networks themselves (making them more secure and more efficient), but to serve our business outcomes. This is the most exciting area of growth in networking. It’s ultimately what networks are for: Driving business forward.

We start with taking the reactive model of IT support and putting it on a new footing: proactive, based on next-generation analytics. We now leverage data to resolve issues before they impact business, or even before a user calls in a problem. If a failure does sneak through, analytics can pinpoint the cause and scope quickly, to speed remediation. We can determine with confidence when an issue is network-related and when it isn’t – speeding up the mean time to innocence for network professionals, which can be key to their career success.

Our businesses operations themselves also generate valuable data. For example, nearly every single person today is carrying a mobile device that will be noticed by a businesses’ wireless access points. Data from these interactions can be applied to all sorts of issues that go straight to the bottom line. We can help a business determine where its customers are and how they flow through their facilities. These insights lead to better customer engagements, and they improve the ROI of a network.

The same technology is being used in medical and industrial facilities now to make sure that high-value equipment is where it’s needed and is staged appropriately when it’s not in use. Solutions like these go straight to business outcomes.

We can also use network data to improve our security posture. We use participating customers’ network telemetry, along with our global threat intelligence, to discern patterns in network traffic that indicate the presence of malware within encrypted traffic. We give enterprises a layer of insight into encrypted traffic — without decrypting it. Based on this posture they can choose to deny this traffic, or selectively decrypt it. They can balance security with privacy, and control for the cost of decrypting traffic at scale.

In sum, we feed data from all network sources into analytics engines and machine learning systems, and this leads to insights we apply to security, IT operations, and business outcomes.

The way forward

This outcome-driven architecture is what we have been building for the last two years. It’s why we are all-in on intent-based networking. For unplugged and uninterrupted networking, we need our systems to be wireless first, cloud-driven, and data-optimized.

To see how we are modernizing the network, from endpoint to device, see our latest news.

 


More reading:

 


Unplugged and Uninterrupted: What’s Driving Networking Today

When to use SMB WriteThrough in Windows Server 2019

Source: Veeam

Today, we are going to discuss the Server Message Block (SMB) protocol which is incorporated into all Windows versions, both client and server. It is enabled by default and used to share files and printers. There are rather few versions of this protocol, but it was SMB 2.0, released with Windows Vista in 2006, that considerably improved its performance. Today, the latest version is SMB 3.1.1, that was released with Windows 10 and Windows Server 2016.

The focus of this version was on security by adding support for more encryption algorithms, leaving the performance practically unchanged. And although we don’t get the new protocol version with Windows Server 2019, there is one novelty added to the SMB protocol that affects the client side.

SMB cache

With the release of Windows Server 2019 (also available in Windows 10 version 1809), SMB connections on the client side now can be used without the SMB cache. In certain scenarios, this will accelerate the transfer of files sent using this protocol.

Here’s how you find this new parameter:

  • For the Command Prompt, it’s the WRITETHROUGH parameter for the command Net Use
  • For PowerShell, it’s the UseWriteThrough parameter for New-SmbMapping cmdlet.

 

Let’s see how it works and when it’s a good idea to use it.

SMB operation without the WriteThrough/UseWriteThrough parameters

By default, when Windows SMB client makes a connection to an SMB server, the client uses the SMB cache. We have to understand that this SMB client can be a Windows Server.

SMB client is a computer that makes the connection to a shared resource and SMB server is a computer that has that shared resource. The SMB cache is very useful in most cases. For example, imagine a user accessing their files on a file server. When he opens a file for the first time the SMB client downloads it completely but saves it in cache. When the user makes a modification to the file and saves the file, the file is not downloaded again, the load is faster since the file is in the cache. That is the default behaviour of the SMB cache for the SMB client and works in every Windows SMB version.

What is the WriteThrough parameter for?

This parameter allows to map a network unit with forced access (“direct write”) and thus omit all the operating system caches, forcing the read/write to disk.

Previously, “direct writing” was only possible in the shared resources of the cluster with the option marked “Continuous Availability.” In addition, version 3 of the SMB protocol and at least Windows Server 2012 were required. But with Windows Server 2019 and Windows 10 v.1809 you can now force the “direct write” from the client side.

Tip: To quickly check the version of your Windows Server (or Windows 10), run the winver command in either cmd or PowerShell.

When to use it?

This option can be used when we know for sure that the file that we’re going to write doesn’t exist at the destination yet and is of a considerable size. For example, it’ll be much faster for a backup software to write a backup file via SMB connection with “WriteThrough” parameter, avoiding the operating system’s cache.

How to enable the SMB WriteThrough connection

As previously noted, SMB connections are made from the SMB client, so to enable this, we would need to do the following.

WriteThrough with CMD

Execute the Net Use command to see the new WRITETHROUGH parameter:

Net Use Servershare /WriteThrough

If you want to assign a drive letter, execute:

Net Use (Drive letter): Servershare /WriteThrough

Connection example:

– Destination SMB Server: SYSADMIT-PC1

– Destination SMB Shared folder: SYSADMIT-Share

– Network unit: None

Example command would look like:

Net Use SYSADMIT-PC1SYSADMIT-Share /WRITETHROUGH

WriteThrough with PowerShell

The equivalent to the Net Use command in PowerShell is the New-SmbMapping cmdlet. It also allows us to make SMB connections without caching using the UseWriteThrough parameter.

Example:

– Destination SMB Server: SYSADMIT-PC1

– Destination SMB Shared folder: SYSADMIT-Share

– Network unit: S:

Example command would look like:

New-SmbMapping -LocalPath ‘S:’ -RemotePath ‘SYSADMIT-PC1SYSADMIT-Share’ -UseWriteThrough $True

Conclusion

As you see, it’s pretty easy to utilize the WriteThrough ability with a few short commands. What’s important is to understand when it’s a good idea to use it since in most cases using the cache is fine. But in certain scenarios like creating new large files at the destination, we would benefit going around the SMB’s cache.

The post When to use SMB WriteThrough in Windows Server 2019 appeared first on Veeam Software Official Blog.


When to use SMB WriteThrough in Windows Server 2019

How to enable MFA for Office 365

Source: Veeam

Starting from the recently released version 3, Veeam Backup for Microsoft Office 365 allows for retrieving your cloud data in a more secure way by leveraging modern authentication. For backup and restores, you can now use service accounts enabled for multi-factor authentication (MFA). In this article, you will learn how it works and how to set up things quickly.

How does it work?

For modern authentication in Office 365, Veeam Backup for Microsoft Office 365 leverages two different accounts: an Azure Active Directory custom application and a service account enabled for MFA. An application, which you must register in your Azure Active Directory portal in advance, will allow Veeam Backup for Microsoft Office 365 to access Microsoft Graph API and retrieve your Microsoft Office 365 organizations’ data. A service account will be used to connect to EWS and PowerShell services.

Correspondingly, when adding an organization to the Veeam Backup for Microsoft Office 365 scope, you will need to provide two sets of credentials: your Azure Active Directory application ID with either an application secret or application certificate and your services account name with its app password:

Can I disable all basic authentication protocols in my Office 365 organization?

While Veeam Backup for Microsoft Office 365 v3 fully supports modern authentication, it has to fill in the existing gaps in Office 365 API support by utilizing a few basic authentication protocols.

First, for Exchange Online PowerShell, the AllowBasicAuthPowershell protocol must be enabled for your Veeam service account in order to get the correct information on licensed users, users’ mailboxes, and so on. Note that it can be applied on a per-user basis and you don’t need to enable it for your entire organization but for Veeam accounts only, thus minimizing the footprint for a possible security breach.

Another Exchange Online PowerShell authentication protocol you need to pay attention to is the AllowBasicAuthWebServices. You can disable it within your Office 365 organization for all users — Veeam Backup for Microsoft Office 365 can make do without it. Note though, that in this case, you will need to use application certificate instead of application secret when adding your organization to Veeam Backup for Microsoft Office 365.

And last but not the least, to be able to protect text, images, files, video, dynamic content and more added to your SharePoint Online modern site pages, Veeam Backup for Microsoft Office 365 requires LegacyAuthProtocolsEnabled to be set to $True. This basic authentication protocol takes effect for all your SharePoint Online organization, but it is required to work with certain specific services, such as ASMX.

How can I get my application ID, application secret and application certificate?

Application credentials, such as an application ID, application secret and application certificate, become available on the Office 365 Azure Active Directory portal upon registering a new application in the Azure Active Directory.

To register a new application, sign into the Microsoft 365 Admin Center with your Global Administrator, Application Administrator or Cloud Application Administrator account and go to the Azure Active Directory admin center. Select New application registration under the App registrations section:

 

Add the app name, select Web app/API application type, add a sign-on URL (this can be any custom URL) and click Create:

 

Your application ID is now available in the app settings, but there’re a few more steps to take to complete your app configuration. Next, you need to grant your new application the required permissions. Select Settings on the application’s main registration page, go to the Required permissions and click Add:

 

In the Select an API section, select Microsoft Graph:

 

Then click Select permissions and select Read all groups and Read directory data:

Note that if you want to use application certificate instead of application secret, you must additionally select the following API and corresponding permissions when registering a new application:

  • Microsoft Exchange Online API access with Use Exchange Web Services with full access to all mailboxes’ permissions
  • Microsoft SharePoint Online API access with Have full control of all site collections permissions

To complete granting permissions, you need to grant administrator consent. Select your new app from the list in the App registrations (Preview) section, go to API Permissions and click Grant admin consent for <tenant name>. Click Yes to confirm granting permissions:

 

Now your app is all set and you can generate an application secret and/or application certificate. Both are managed on the same page. Select your app from the list in the App registrations (Preview) section, click Certificates & secrets and select New client secret to create a new application secret or select Upload certificate to add a new application certificate:

 

For application secret, you will need to add secret description and its expiration period. Once it’s created, copy its value, for example, to Notepad, as it won’t be displayed again:

How can I get my app password?

If you already have a user account enabled for MFA for Office 365 and granted with all the roles and permissions required by Veeam Backup for Microsoft Office 365, you can create a new app password the following way:

  • Sign into the Office 365 with this account and pass additional security verification. Go to user’s settings and click Your app settings:
  • You will be redirected to https://portal.office.com/account, where you need to navigate to Security & privacy and select Create and manage app passwords:
  • Create a new app password and copy it, for example, to Notepad. Note that the same app password can be used for multiple apps or a new unique app password can be created for each app.

What’s next?

Now you have all the credentials to start protecting your Office 365 data. When adding an Office 365 organization to the Veeam Backup for Microsoft Office 365 scope, make sure you select the correct deployment type (which is ‘Microsoft Office 365’) and the correct authentication method (which in our case is Modern authentication). Keep in mind that with v3, you can choose to use the same or different credentials for Exchange Online and SharePoint Online (together with OneDrive for Business). If you want to use separate custom applications for Exchange Online and SharePoint Online, don’t forget to register both in advance in a similar way as described in this article.

The post How to enable MFA for Office 365 appeared first on Veeam Software Official Blog.


How to enable MFA for Office 365

Veeam is presenting at Cloud Field Day 5

Source: Veeam

Today is Cloud Field Day 5, and Veeam will be presenting at 8.30am PST.

Cloud Field Day bring together innovative IT product vendors and independent thought leaders to share information and opinions in a presentation and discussion format. Independent bloggers, speakers, freelance writers, and podcasters have a public presence that has immense influence on the ways that products and companies are perceived by IT practitioners.

During this two hour session Anthony Spiteri, David Hill and Michael Cade will be discussing Veeam’s innovative integration with Public Cloud and Service Providers, and will be showcasing Veeam’s flagship features around Cloud Mobility, instant restore and other great features and capabilities.

Tune in and watch the live stream here

Cloud Field Day has brought together a number of key delegates from the virtualization and cloud community.  It is truly an interactive and informative session.  For more information on the Cloud Field Day delegates click here.

To interact and chat with the presenters during the presentation, follow the links below for twitter information.

Presenters

 

The post Veeam is presenting at Cloud Field Day 5 appeared first on Veeam Software Official Blog.


Veeam is presenting at Cloud Field Day 5

How to limit egress costs within AWS and Azure

Source: Veeam

With Update 4’s exciting new cloud features, there are settings within AWS and Azure that you should familiarize yourself with to help negate some of the egress traffic costs, as well as help with security.

Right now, let’s talk about the scenarios where:

  • You are backing up Azure/AWS instances, utilizing Veeam Backup & Replication with a Veeam Agent, while utilizing Capacity Tier all inside of AWS/Azure
  • You have a SOBR instance in AWS/Azure and utilize Capacity Tier
  • When N2WS backup and recovery/Veeam Availability for AWS performs a copy to Amazon S3
  • If Veeam is deployed within AWS/Azure and you perform a DR2EC2 without a proxy or DR2MA

In AWS, by default, all traffic written into S3 from a resource within a VPC, like an EC2 instance, face egress costs for all these scenarios listed above. By default, when we archive data into S3 or do a disaster recovery to EC2, where Veeam uploads the virtual disk into S3, so AWS can convert to Elastic Block Store (EBS) volumes (AWS VMimport), we face an egress charge per GB. There is the option to utilize a NAT gateway/instance, but again there is a price associated with that as well.

Thankfully, there is an option that you could enable, which is basically the “don’t charge me egress!” button. That feature is called VPC Endpoints for AWS and VNet Service Endpoints for Azure.

Limit AWS egress costs

As stated by AWS:

“A VPC Endpoint enables you to privately connect your VPC to supported AWS services and VPC Endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network”.

You simply enable VPC Endpoints for your S3 service within that VPC and you will no longer face egress cost when an EC2 instance is traversing data into S3. This is because the EC2 instance doesn’t need a public IP, internet gateway or NAT device to send data to S3.

 

Now that you enabled the VPC Endpoint, I highly recommend that you create a bucket policy to specify which VPCs or external IP addresses can access the S3 bucket.

Limit Azure egress costs

Azure handles the egress costs from their instances into Blob in the same manner AWS does, but with Azure the nomenclature is different, they use VNets instead of VPCs and they too have a feature that can be enabled at the VNet level: VNet Service Endpoints.

As stated by Microsoft Azure:

“Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network.”

 

With Azure, you can then setup a firewall within the storage account to limit internet access to that resource.

Again, this is for instances hosted within a VNet or VPC talking to their respected object storage within the same region, not on-premises to an S3/Azure storage account.

 

References:

The post How to limit egress costs within AWS and Azure appeared first on Veeam Software Official Blog.


How to limit egress costs within AWS and Azure