2.2.1 Traditional Managed Service Customer Topology
Customer topologies, particularly in managed services bespoke deployments, can take many forms, but most share common traits. They typically have some or all of the following:
• External access from untrusted networks such as the internet.
• External access from trusted or semi-trusted, corporate wide area Networks.
• Perimeter security on some or all ingress paths.
• Separate networks within the solution for administrative separation of solution components.
• Internal security for controlled separation of solutions components.
• Routing/switching to allow the solution components to communicate with each other.
The following figure is an example “three tier” network that illustrates typical elements.
Figure 1. Example Managed Service Customer Topology
In the figure, the WAN connection is separated from the core router with a firewall. Depending upon the level of trust which the WAN and the workload warrant, as well as the customer’s appetite for risk, this might not be required. When there is no firewall, a single network (usually a VLAN) connects the tenant core router directly to the WAN presentation, typically in the form of a dedicated, physical, per-tenant Customer Edge (CE) router. This simplified model will be used as the basis for illustrations throughout this document although it is acknowledged that this is far from the only topology that could be deployed.
