In the last installment, we discussed internal networking and how, when done right, gains a reasonable amount of high availability. We discussed multiple cables, spanning tree, and some inside-out types of internal routing redundancy with VRRP and HSRP.
It’s all great when you build a nice building and a nice local area network (LAN) layout. Your servers are up and your cores are fast and resilient. Users can work – and stay working – even with a network cable (or device) failure. That’s good.
But now we should discuss the other direction, the outside-in traffic flow. There is a time when someone needs to get in from outside of your utopian network. You may offer VPN services for remote workers, you may publish services like a webserver or an email server, and other people need to send you messages or access your website. Those services and workloads are already highly available because we made them so using processes and technologies discussed so far in this blog series. But, how do people access them?
Hint: Probably through an Internet connection
Go look around your building. Deep in the bowels — probably in a hot noisy closest – there is a piece of plywood attached to the wall. On that plywood is a number of blinky-light gadgets and cables and wires. That’s the demarc, the place where your network ends and the Internet begins. Your internet service provider (ISP) places their gear in there and gives you a handoff to your LAN. Ideally, you have two demarcs from two different ISPs, and maybe even in two different closets (environmental considerations, remember?).
But don’t stop there. No discussion of multiple ISPs is complete without a discussion of border gateway protocol (BGP). BGP is the standard public protocol that describes how to get from location to location, or outside-in in this case. You will need to coordinate BGP peering with your multiple ISPs/handoffs to identify the multiple paths (and priorities) of the IP addresses that will be used to access the service that you host in your LAN. See how that all ties together? Typically, ISP1 will plug into Gateway Router 1. ISP2 will plug into Gateway Router 2. Both of these devices – on the outside – will use BGP to properly host IP addresses.
On the inside though, you will probably utilize HSRP or VRRP to host a common virtual gateway that is used to route into a set/cluster of firewalls. If you don’t want to utilize HSRP or VRRP, that’s okay; you have other dynamic routing protocols like enhanced interior gateway routing protocol (EIGRP) or open shortest path first (OSPF) protocol that you can tune to better identify what traffic goes from A to B (or B to A) and which path is the most preferred.
It’s really all about preference. If you line up a group of network architects, they could argue for hours about which option is the best. And frankly, it depends on the situation. The whole purpose here is to start the conversation and make sure that you, the reader, are thinking through things to make your gateway networking as highly available as is reasonable.
If you need some more guidance on the tactics and tips that we touch on in our blog, contact us to learn how we at Mirazon can set up and maintain a highly available work environment.