PortaSwitch deployment in a cloud

PortaOne introduces the concept of PortaSwitch as a cloud-based solution. With this solution, you do not need to purchase hardware servers and/or spend time and effort on their maintenance. Instead, you decide upon the processing capacity you require for your business, submit your request to the PortaOne Sales team and then receive a scalable, ready-to-use platform that operates in a cloud. Thus you start your business faster and speed up your payback.

The key features of the cloud-based PortaSwitch solution are:

• Near-zero CAPEX and reduced OPEX – By deploying PortaSwitch in a cloud, you save on hardware purchases and provisioning. The cloud infrastructure is maintained by PortaOne, which drastically reduces the load on your administrative staff.

• Reduced deployment time – You receive the platform, ready-to-use, within a day.

• Flexible scalability – The processing capacity can be increased/decreased on demand.

• Cloud pricing – The cloud-based PortaSwitch solution does not assume licensing. The pricing consists of a one-time set-up fee and then a recurring subscription fee that is formulated based on the number of billable xDRs processed per month. Customers interested in migrating their existing deployments to a cloud will be eligible for commercial incentives.

The cloud-based PortaSwitch platform is the solution for businesses of all sizes. Due to a reduction in deployment charges, small telcos and startups can use it to enter the telecommunications market. Large ITSPs can also use PortaSwitch to:

• Deploy a new installation (site) in another region/country to introduce geo-redundancy and perform software upgrades with zero down-time;

• Gradually move active customers to new installations using the Porter data transfer tool and thereby introduce a Dual Version of PortaSwitch. (For more information, please read the Dual Version PortaSwitch chapter);

• Quickly deploy a staging system to verify new functionalities or interoperability with third-party equipment.

With PortaSwitch deployed in a cloud, you have advanced flexibility in managing your network infrastructure. Even with reduced deployment budgets, businesses of all sizes can become active players in the telecommunications market.

There are several ways to deploy PortaSwitch: on the premises on hardware servers, in a cloud or as a combination of both (e.g., you disperse PortaSwitch across multiple sites for redundancy or deploy a Dual Version PortaSwitch for gradual customer migration).

For PortaSwitch installations deployed both in a cloud and on the premises, a reliable and secure interconnection must be established between these two locations. In practice, this means building a VPN that combines networks from both the cloud infrastructure and the on-premises data center. Typically, site-to-site VPNs use tunnels to encapsulate data packets within normal IP packets and forward them over public IP-based networks, using encryption to ensure privacy.

The configuration of such a tunnel involves the following:

1. set up a VPN endpoint within a cloud network;

2. set up a VPN endpoint within an on-premises network;

3. make sure that both VPN endpoints freely exchange TCP/UDP traffic on ports 500 (ISAKMP) and 4500 (NAT traversal);

4. enable a tunnel between the two VPN endpoints and check the connectivity.

To set up a VPN endpoint in a PortaSwitch cloud network, submit a request to the PortaOne Support team. The request must include the following information:

• a public IPv4 address for a VPN endpoint located on the premises;

• the IP address of the private on-premises network that will be added to the VPN.

Once a VPN endpoint in a PortaSwitch cloud network is configured, you are provided with its public IPv4 address, pre-shared key and a private cloud network address.

To set up a VPN endpoint in the on-premises network, either a VPN-capable device or software-based router is required (both must support standard-based IPSec encryption). Such a device/software router must be placed in the on-premises network and have a public IPv4 address assigned to it. It must also comply with the following ISAKMP policy options:

• ISAKMP protocol, version 1;

• exchange type: main mode;

• authentication method: pre-shared keys;

• encryption algorithms: AES-128-cbc, AES-192-cbc, AES-256-cbc;

• authentication algorithm: SHA1 (also called SHA or SHA1-96), SHA-256, SHA-384;

• Diffie-Hellman group: group 1, group 2, group 5; and

• IKE session key lifetime: 28800 seconds (8 hours).

Additionally, support of the following IPSec policy options is required:

• IPSec protocol: ESP, tunnel-mode;

• encryption: AES-128-cbc, AES-192-cbc, AES-256-cbc;

• authentication algorithm: HMAC-SHA1-96;

• IPSec session key lifetime: 3600 seconds (1 hour); and

• Perfect Forward Secrecy (PFS): enabled, group 5.

Please refer to https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/configuringCPE.htm for useful details about a specific VPN endpoint configuration.

Provision the public IPv4 address, pre-shared key and private cloud network address of the VPN endpoint configured in the cloud onto an on-premises device (or software router) so that a tunnel between the two VPN endpoints can be established.