As organizations look to expand the use of public cloud platforms such as Amazon Web Services (AWS) and Microsoft Azure, they face many obstacles. The biggest obstacle is often the lack of a centralized, secure connectivity architecture that is required to interconnect clouds and data centers. This approach, enables cloud applications to communicate with applications in different cloud deployments as well as with resources on the corporate network.
Islands of inconsistently connected public cloud workloads will constrain an organization’s digital transformation and drive up complexity, risk, and cost
Public Cloud platforms allow the creators of business applications to quickly gain access to compute and storage resources without navigating complicated, and often time-consuming, provisioning processes. Also, native public cloud functionality such as load balancing, auto-scaling, and built-in security controls can be incorporated seamlessly into application deployments. These features allow applications to scale to meet demand safely, and without manual intervention, long provisioning intervals, or costly infrastructure appliances that need to be acquired and maintained by specialized staff.
These benefits have driven many organizations to adopt the cloud to help improve time-to-market for new initiatives while at the same time delaying the need for significant capital expenses. But, as organizations expand their use of AWS and Azure some common challenges begin to emerge:
- Shared resources, such as directory services or systems management platforms, are typically needed to operate applications reliably. This can lead to duplicated services and management overhead if these shared services are not centrally accessible by all cloud workloads.
- Security and performance concerns drive the need to establish dedicated private bandwidth solutions between employees or applications inside enterprise networks and applications running on AWS and Azure. These bandwidth solutions should be shared between multiple cloud deployments to control costs and management complexity.
- Virtual network implementations across multiple cloud deployments do not always have consistent architectures, or security controls applied. It’s critical to understand the security controls and enforcement mechanisms of each cloud deployment before connecting it to shared resources, or providing connectivity to corporate networks.
For organizations to consume public cloud platforms effectively, a secure and reliable connectivity design is required. Such a connectivity design must allow applications to share centralized resources, communicate with each other, and support the flow of data between them over the corporate network.
Organizations can control complexity, risk, and cost by integrating five key secure cloud connectivity architecture principles into their designs
Once there is a recognized need for cloud deployments to connect back to corporate networks to gain access to shared resources, IT infrastructure and security teams are typically called upon to make it happen. In our experience helping customers develop secure cloud connectivity architectures, we have observed five guiding architecture principles that lead to a successful implementation:
- Share infrastructure services and corporate network access between all applications by centralizing cloud connectivity and on-premises integration circuits
- Accelerate the deployment of new applications into the cloud by creating a reference library of connectivity designs
- Enable a controlled transition to cloud-native services by developing connectivity designs that can initially support the use of existing third-party network appliances
- Ensure that connectivity configurations and security controls are implemented consistently by taking advantage of provisioning automation mechanisms available in both AWS and Azure
- Maximize the benefits of fast evolving cloud capabilities by continuously evolving and adapting connectivity designs.
Share infrastructure services and corporate network access between all applications by centralizing cloud connectivity and on-premises integration circuits
For IT infrastructure and security teams that are expected to ensure the availability, performance, and security of connectivity between the corporate network and cloud deployments, it is important to establish a network hub inside the cloud provider. By creating a centrally controlled, Virtual Network (VNET) in Azure or Virtual Private Cloud (VPC) in AWS, organizations can create a virtual network hub in the cloud which can be used to interconnect different cloud deployments and, connect back to the corporate network.
AWS Direct Connect and Azure Express Route are similar services that establish private, dedicated bandwidth connections between a corporate network and the cloud. By creating a network hub in the cloud, enterprise infrastructure teams can centralize Direct Connect or Express Route circuits and then share them on multiple virtual networks dedicated to different applications. Also, organizations can deploy shared resources within the centralized hub for use by applications residing in different virtual networks. Both AWS and Azure support the concept of virtual network peering, which is the mechanism for enabling robust connectivity between application virtual networks and the resources in the cloud hub network.
A centralized network hub design in the cloud allows DevOps and SysOps Administrators to maintain administrative control of cloud resources that they need to support, while at the same time ensuring that network infrastructure administrators maintain oversight and control of the connectivity, performance, and security of the centralized network hub implementation.
Accelerate the deployment of new applications into the cloud by creating a reference library of connectivity designs
As applications are deployed, and new VNETs or VPCs are created, the library of design reference models specifies how all network resources and services should be configured.
Although there may be different teams with administrative control for their virtual network environments connected to a common network hub, there is still a need for consistency in how virtual network services are configured and deployed within each environment. Organizations should establish a finite set of design reference models that can be used to build out the virtual network deployments for each separate VNET or VPC. These designs should address the different connectivity scenarios that are needed to support all network services, such as firewall and load-balancing capabilities.
Enable a controlled transition to cloud-native services by developing connectivity designs that can initially support the use of existing third-party network appliances
In traditional data center environments, organizations typically rely on appliance-based solutions to provide firewall and load-balancing services. As these organizations adopt Azure or AWS, they are then faced with the choice to either deploy third-party cloud-appliance versions of existing solutions or convert to cloud-native services built into provider’s platforms. It’s common for organizations to stick with the third-party cloud-appliance versions of existing solutions since these remain compatible with existing configuration management and monitoring platforms and processes. The network connectivity architecture should accommodate either approach and be able to support a gradual transition from third-party to cloud-native services when required.
Ensure that connectivity configurations and security controls are implemented consistently by taking advantage of provisioning automation mechanisms available in both AWS and Azure
Once an approved set of connectivity reference models is established, organizations should leverage the provisioning and configuration management capabilities of the cloud to ensure that these designs are deployed correctly and remain unaltered after deployment.
Standard AWS network designs can be deployed consistently by using Cloud Formation or AWS CLI scripts. Similarly, standard Azure network design patterns can be deployed consistently with PowerShell scripts. This is a critical aspect of governing cloud implementations which ensures that all virtual network deployments are operating according to the intended design and are protected by the appropriate security controls.
Maximize the benefits of fast evolving cloud capabilities by continuously reviewing and adapting connectivity designs
Historically, the lifespan of data center and network infrastructure designs is seven to ten years. Today, however, with the rate of service innovation in the cloud, designs implemented today will become costlier and less effective than the solutions available soon. Organizations should perform annual reviews of their network design reference models to ensure they’re using the most efficient and cost-effective cloud-native network services to support their applications.
The need to adopt public cloud platforms like AWS and Azure to help accelerate the digital transformation of businesses is no longer up for debate. Organizations that invest the time to develop scalable and secure connectivity architectures for the cloud will position themselves for a successful digital transformation.