Deployment Experience Singtel Cn2 Access Practice In Multi-cloud Environment

1. project preparation and requirement confirmation

- clarify the requirements: public network or dedicated line access (ipsec/direct connect/mpls);
- determine traffic direction, bandwidth, sla, redundancy (two links or two cloud vendors);
- prepare information: customer as number, reserved ip segment, public and private network mapping, cloud vpc/vnet id and subnet.

2. network topology design

- draw a logic diagram: cn2 export -> operator switch/peering -> cloud side router/gateway;
- decide on bgp or static routing: it is recommended to use bgp ebgp with as number across clouds for route propagation and fault recovery;
- design subnet/vrf partitions, routing policies, acls and nat boundaries.

3. physical and link preparation

- confirm the delivery point with singtel: pop computer room, port type, mtu, link label;
- if ipsec is used, prepare the public network egress ip and ike parameters (ikev2/psk or certificate);
- if using direct connect/mpls, confirm vlan/vci, l2/l3 delivery information.

4. cloud-side gateway and router configuration (taking common clouds as an example)

- in aws: create vgw/transit gateway and associate vpc, configure vpn connection or direct connect;
- in azure: create expressroute or vpn gateway and configure the connection; in gcp: create cloud router and configure bgp;
- configure local-cloud mtu consistency (recommend 1500 or confirm according to cn2 link)

5. specific steps for establishing bgp peering (example)

- confirm the as numbers and peer ip of both parties; create a bgp session on the cloud side and fill in the local as, peer as, and peer ip;
- configure keepalive/holdtime (commonly used for 60/180) and enable multipath (ecmp) if necessary;
- check bgp neighbor status: show ip bgp summary / cloud console status.

6. routing strategies and filters

- apply prefix filtering on inbound: allow customer prefixes, block bogon and excessively long prefixes;
- outbound application route-map/community modifies med/localpref to control route preferences;
- set blacklists and whitelists for cross-cloud traffic down to the subnet level.

7. security and encryption (key points of ipsec implementation)

- ike parameters: ikev2, encryption aes-gcm/chacha20, dh group selection (14 or higher);
- subnet-level security group/nsg releases bgp port (tcp 179) and necessary service ports;
- rotate psk regularly or use certificates, enable log auditing.

8. multi-cloud routing synchronization and traffic engineering

- synchronize routing policies using centralized routing control (such as sd-wan or cloud transit);
- use bgp community and localpref to distribute traffic between different clouds;
- for critical services, use the cn2 priority link, and for non-critical services, use the public internet or backup link.

9. testing and verification steps

- verify that the bgp neighbor is established and the routing table is visible (show ip route/bgp/cloud console);
- perform ping/traceroute to the target cloud resource and record delay and packet loss;
- do bandwidth testing (iperf3) and observe queues and packet loss under high concurrency.

10. monitoring, alarming and operation and maintenance

- deploy traffic monitoring (netflow/sflow/cloud monitoring) and set threshold alarms;
- monitor bgp status, packet loss, delay, queue length, and regularly execute link health check scripts;
- establish a change management process to record each routing/policy change.

11. common faults and troubleshooting steps

- bgp is not established: check whether the access-list/firewall blocks tcp179 and confirm that the as number/ip is correct;
- route failure: check route propagation, nat rules, mtu, and vrf isolation issues;
- performance issues: check link congestion, qos settings, and packet loss occurrence points.

12. question: what necessary information is needed to access cn2?

- answer: you must provide the customer's public/private network ip, customer as number, expected bandwidth, business priority, cloud-side vpc/vnet id and available subnets, etc.; and confirm the delivery point, mtu, vlan number or vpn parameters with singtel.

13. question: how to ensure that traffic between multiple clouds goes through cn2 instead of the public network?

- answer: in the routing policy, add localpref to the cn2 prefix or use the bgp community tag, combine the sd-wan/transit gateway to centrally deliver the policy, and prioritize the bgp path established through cn2 on the cloud side.

14. question: what are some quick suggestions for common performance optimizations after deployment?

- answer: adjust mtu to avoid fragmentation, enable multi-path ecmp, use med/localpref in bgp to optimize paths, do qos based on business classification, and monitor link delay and packet loss for regular adjustments.