Service Orchestration
Configuration > Cloud Services > Service Orchestration
To watch a video of this feature, see How to Integrate with Third-Party Service Providers.
Use the Service Orchestration tab to automate the integration of third-party service providers without an API. Service Orchestration automates the creation and deployment of IPSec tunnels and IP SLA probes and manages the lifecycle of the tunnels and probes.
Service Orchestration creates a local tunnel identifier (IKE ID) for each tunnel to the third-party service provider. After the tunnels are created, complete the integration on the third-party service provider’s site by replacing the source identity values with the local tunnel identifiers (IKE IDs) that Orchestrator created for each endpoint.
Prerequisites
-
You must have loopback interfaces configured to use the Service Orchestration feature.
-
Service Orchestration supports third-party service providers that use IPSec IKEv2 endpoints.
-
You will need the following information from the third-party service provider for each endpoint you want to add:
-
Endpoint name
-
IP address
-
Probe address
-
Probe type (Ping or HTTP/HTTPS)
-
Set Up a New Service
To set up a new third-party service:
-
Click +Add Service and complete the following fields.
Field Description Name Name of the new service. Prefix A prefix to assign to all tunnels for this service. Orchestrator will use this prefix to filter tunnels and IP SLAs. -
Click Save.
A new tab is created on the Service Orchestration page.
TIP: To edit or delete a service, click the edit icon next to the service name.
-
Select the tab for the new service and follow the steps below to integrate this new service.
Remote Endpoint Configuration
Add the remote endpoints for the third-party service provider. You can add one endpoint at a time or add endpoints in bulk by importing the information from a CSV file.
Add Endpoints One at a Time
-
Click Remote Endpoint Configuration.
The Add Remote Endpoints dialog box opens.
-
Click +Remote Endpoint.
-
Complete the following fields. Press the Tab key to navigate to the next field.
Field Description Name Name of the third-party service provider endpoint.
IMPORTANT: If an endpoint name is decommissioned or modified, you must update the value in this table.IP Address IP address of the third-party service provider endpoint. If you do not have the IP address, you can use the FQDN.
IMPORTANT: If an IP address is decommissioned or modified, you must update the value in this table.Interface Label The interface labels that can be provisioned for this endpoint. Only labels in this list will be provisioned.
HINT: Click Interface Label Default to reset the Interface Label for every endpoint in the table to the default value of Any.Pre-shared Key The pre-shared key for the endpoint. To display the pre-shared key, click anywhere in the field. Do one of the following:
Edit this field for each endpoint. This value can be an ASCII string, a hex-encoded string (if it has a 0x prefix), or a base64-encoded string (if it has a 0s prefix).
Click PSK Default to create and save a pre-shared key. Every endpoint will use the pre-shared key you create. Because traffic going to these endpoints is encrypted, it will not compromise security to use the same pre-shared key for each endpoint.Probe Address The third-party service provider endpoint that the IP SLA subsystem will ping. You can obtain the probe address from the third-party service provider.
IMPORTANT: Orchestrator will prefill the Address field in the IP SLA Settings dialog box with this value. If you delete the value in the Probe Address field in this table, Service Orchestration will ping the value specified in the Address field in the IP SLA Settings dialog box. -
Click Save.
-
Repeat steps 2 - 4 for each endpoint you want to add.
-
After your endpoints are created, enter the probe address and a backup remote endpoint for each endpoint you defined.
Field Description Probe Address The third-party service provider endpoint that the IP SLA subsystem will ping. You can obtain the probe address from the third-party service provider.
IMPORTANT: Orchestrator will prefill the Address field in the IP SLA Settings dialog box with this value. If you delete the value in the Probe Address field in this table, Service Orchestration will ping the value specified in the Address field in the IP SLA Settings dialog box.Backup Remote Endpoint Enter the third-party service provider endpoint that you want to use as a backup tunnel. For example, ATL1-Atlanta could use DFW1-Dallas as a backup remote endpoint. If you leave this field empty, the endpoint will not have a backup tunnel. The BIO determines how traffic will be handled if a single or single and backup tunnel go down. TIP: To delete an endpoint, click the X in the last column in the table.
-
Click Save.
Updates are orchestrated immediately.
Add Endpoints in Bulk
-
Click Remote Endpoint Configuration.
The Add Remote Endpoints dialog box opens.
-
Click Import to import a list of remote endpoints from a CSV file. The CSV file must contain columns for name, IP address, interface label, pre-shared key, probe address, and backup remote endpoint, in that order.
NOTE: Remove any header rows before you import the file.
-
Click Choose File.
-
Navigate to the file, select the file, and then click Open.
-
Click Save.
Updates are orchestrated immediately.
Bulk Edits
To make bulk edits to the table:
-
Click Export.
-
Open the CSV file and delete the three header rows.
-
Modify, save, and close the file.
-
Click Import, and then click Choose File.
-
Locate and select the file, and then click Open.
Orchestrator updates the table.
-
Click Save.
Interface Labels
Select the Primary and Backup interface labels for your traffic. Backup interface labels will be used if the primary interface labels are unreachable.
-
Click Interface Labels.
The Build Tunnels using these Interfaces dialog box opens.
-
Drag the interface labels you want to use into the Primary area. (The Peer/Service names in the Tunnels table will be XXX_Primary_1 and XXX_Primary_2.)
-
Drag the interface labels you want to use into the Backup area. (The Peer/Service names in the Tunnels table will be XXX_Backup_1 and XXX_Backup_2.)
-
Drag the interface labels up or down to reorder the list as necessary.
-
Click Save.
Tunnel Settings
-
Click Tunnel Settings to configure the tunnel settings.
The Tunnel Settings dialog box opens. The General tab is displayed with the Mode field set to IPSec.
-
Complete the following fields as required for security service.
Field Description Mode Indicates that the tunnel protocol is IPSec. You cannot edit this field. IPSec Suite B Preset Select an IPSec Suite B Preset if required by the security service (GCM-128, GCM-256, GMAC-128, or GMAC-256). The default setting is None.
If IPSec Suite B Preset is set to None, no preset is selected, but GCM and GMAC algorithms are available to set independently.
If an IPSec Suite B preset is selected, various settings on the IKE and IPSec tabs are configured automatically based on the selected preset.Auto max BW enabled When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth. Enabled by default. -
Click the IKE tab, and then complete the following fields.
Field Description IKE Version IKE v2. You cannot edit this field. Preshared Key Pre-shared key used for IKE authentication. This key is generated dynamically. Authentication algorithm Authentication algorithm used for IKE security association (SA). Authentication algorithm can be set to SHA1, SHA2-256, SHA2-384, SHA2-512, or NULL. Encryption algorithm Encryption algorithm used for IKE security association (SA). Encryption algorithm can be set to AES-128, AES-256, AES-GCM-128, AES-GCM-256, or NULL. Diffie-Hellman group Diffie-Hellman Group used for IKE security association (SA) negotiation.
If the IPSec Suite B Preset field on the General tab is set to None, you can select the appropriate group. Available groups are 14 through 21, 26, and 31.
If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate group.Rekey interval/lifetime Rekey interval/lifetime of IKE security association (SA) in minutes. The default is 480 minutes. Dead peer detection Delay time: The interval (in seconds) to check the lifetime of the IKE peer.
Retry count: The number of times to retry the connection before determining that the connection is dead. This field is not editable.Phase 1 mode Exchange mode for the IKE security association (SA) negotiation. This field is automatically set to Aggressive. This field is not editable. IKE identifier By default, the Service Orchestration feature creates IKE IDs using the following fixed format: hostname_label@endpoint
You can create custom IKE IDs by specifying one or more of the following macros:%hostname%
Appliance host name%label%
Interface label name%tunnel_source_ip%
Tunnel source IP%tunnel_dst_ip%
Tunnel destination IP/FQDN%appliance_key%
Appliance key
For example, to create an IKE ID that contains an email domain, enter%hostname%_%label%@customerdomain.com
IMPORTANT: The custom IKE ID cannot exceed 64 characters. -
Click the IPSec tab, and then complete the following fields:
Field Description Authentication algorithm Authentication algorithm used for the IPSec security association (SA). Authentication algorithm can be set to SHA1, SHA2-256, SHA2-384, SHA2-512, AES-GCM-128, AES-GCM-256, or NULL. Encryption algorithm Encryption algorithm used for the IPSec security association (SA). Encryption algorithm can be set to AES-CBC-128, AES-CBC-256, AES-GCM-128, AES-GCM-256, or NULL. IPSec anti-replay window Select a size from the drop-down list or Disable to disable the IPSec anti-replay window.
If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet.Rekey interval/lifetime Rekey interval/lifetime of the IPSec security association (SA) in minutes. The default is 120 minutes. Perfect forward secrecy group Diffie-Hellman group used for IPSec security association (SA) negotiation. Based on the setting of the IPSec Suite B Preset field on the the General tab, this field is set to the following Diffie-Hellman group:
For None: 14 (by default)
For GCM-128 or GMAC-128: 19
For GCM-256 or GMAC-256: 20 -
Click Save.
TIP: Click Use Default to reset all tunnel settings to the global defaults for Service Orchestration.
IP SLA Settings
-
Click IP SLA Settings.
The IP SLA Settings dialog box opens.
-
If all fields are dimmed, click Enable IP SLA rule orchestration.
-
Complete the following fields.
Field Description Monitor Ping or HTTP/HTTPS. Address The third-party service provider endpoint that the IP SLA subsystem will ping. Orchestrator prefills the Address field with the value from the Remote Endpoint Configuration table. You can configure up to three addresses. Source interface Select an orchestrated loopback label. -
Accept the default values for the remaining fields, and then click Save.
Orchestrator builds the tunnels.
Pause Orchestration (Optional)
When troubleshooting, you can click Pause Orchestration and then click Save to pause the service orchestration. To restart the service orchestration, click Resume Orchestration.
BIO Breakout
By default, the tunnels associated with a third-party service provider will be available for BIOs. You can upload an icon to display on the Business Intent Overlays tab.
NOTE: Supported file types include PNG, JPEG, SVG, and WEBP. The recommended dimensions are 60 x 20 pixels.
-
Click BIO Breakout.
The Configure BIO Breakout dialog box opens.
-
Click Upload Service Icon.
-
Locate and select the file, then click Open.
-
Click Save.
This icon will display next to the service name on the Business Intent Overlays tab.
If you do not want this third-party provider to be available for BIOs, do the following:
-
Click BIO Breakout.
The Configure BIO Breakout dialog box opens.
-
Clear the BIO Breakout check box.
-
Click Save.
Remote Endpoint Association
The final step to configure the integration in Orchestrator is to associate EdgeConnect appliances with remote endpoints. Use this page to add or remove endpoints from an appliance. It is recommended that you associate one remote endpoint per EdgeConnect appliance.
-
In the Orchestrator appliance tree, select one or more appliances to associate with the third-party service provider remote endpoints.
-
Click Remote Endpoint Association.
The Associate an Appliance to Remote Endpoints dialog box opens.
-
Select the Add or Remove check box next to the endpoints you want to associate with the selected appliances. Be sure to add the endpoints that are geographically closest to the appliances.
-
Verify the proposed changes to remote endpoints in the table to the right, and then click Save.
Add Tunnel Local Identifiers to the Third-Party Service Provider
After the Service Orchestration integration is complete in Orchestrator, you must add the local tunnel identifiers (IKE IDs) to the third-party service provider. You can simplify this process by exporting the third-party service provider configuration to a CSV file. The exported file contains all of the configuration details in the table on the third-party service provider page for all selected appliances, including IKE IDs.
NOTE: The default tunnel local identifier value is a fixed format: hostname_labelname@IPaddress. For example, EAST3-AWS_INETA@192.x.x.xxx.
If you created a custom IKE ID, the local tunnel identifier value will follow the format you defined in the IKE identifier field on the Tunnel Settings dialog box.
-
In the Orchestrator appliance tree, select all appliances associated with third-party service provider remote endpoints.
-
On the third-party service provider page on the Service Orchestration tab, click Export to save the contents of the table to a CSV file.
-
Log in to the third-party service provider.
-
In the IPSec/Location configuration panel, replace the Source Identity values with the corresponding Tunnel Local Identifiers (IKE IDs) created by Orchestrator.
Verification
After the third-party service provider is configured and the third-party service provider policy is applied successfully in the BIO, deployment will begin automatically. Go to the third-party service provider tab and view the Connection Status column to verify that the deployment was successful.