A Practical Strategy to Hybrid Clouds for SMB and Large Enterprises: The case to replace your VPN's with Cloud Access Networks
CIOREVIEW >> Juniper Networks >>

A Practical Strategy to Hybrid Clouds for SMB and Large Enterprises: The case to replace your VPN's with Cloud Access Networks

Dhananjay Nair, Director, Product Management & Marketing, Zentera Systems Inc.
Dhananjay Nair, Director, Product Management & Marketing, Zentera Systems Inc.

Dhananjay Nair, Director, Product Management & Marketing, Zentera Systems Inc.

Gartner predicts nearly half of large enterprises will have hybrid cloud deployments by the end of 2017. And, according to the IBM Center for Applied Insights 61% of enterprises will be using hybrid cloud by the end of 2014. We are already in 2015. Irrespective of whom you like to believe hybrid cloud is fast becoming a common reality.

So, what is a simple & practical strategy on networking and security for the corporate hybrid cloud?

Here are some factors to take into consideration.

On premise infrastructure is not going away tomorrow

Despite the benefits of the public cloud, there are many very good reasons why existing on premise IT infrastructure will stay in place for a while. Whether that infrastructure grows or shrinks depends, amongst many factors, on the size, economics and security concerns of the organization. For most organizations the on premise infrastructure will be the hub of the hybrid cloud unless they are starting new and are “all in” into the cloud.

Expect to be in multiple clouds

In future, expect to deal with multiple clouds. As mentioned earlier if you already have on premise data centers it is going to be treated as one of the nodes of your hybrid cloud. A lot of the innovation in software applications is now being delivered through the public cloud as SAAS / ISV applications. So, SAAS installations will probably be another node(s) in your hybrid cloud. You might also decide to use IAAS from one or multiple Cloud Service Providers across one or multiple data centers owned by the provider(s). Each one of these will be a node in your hybrid cloud. Likewise for any PAAS infrastructure you might use in the cloud.

Deeper B2B networking should be part of your hybrid cloud strategy

Hybrid clouds will not necessarily be limited to infrastructure owned by you or, in the case of the public cloud, rented by you. Business reasons will compel deeper connectivity between you and your B2B partners’ infrastructures. How easily, quickly and securely you can enable such connectivity should be an important part of your hybrid cloud strategy consideration.

Your hybrid cloud roll out strategy will be optimized if you can deploy ‘One project at a time’

Most organizations would like to stage their move to the cloud given their existing infrastructure. It is also a prudent strategy to test out the cloud with less significant applications and limited upfront investment/commitment before moving to more critical enterprise applications.

So, what are your options for networking and security?

Understand that networking and security are inter-related. You cannot change one without impacting the other. For example, if you setup a hybrid network between two clouds the servers in one cloud are exposed to the servers in the other thereby impacting the security of the servers in each cloud. You can then beef up the security in your hybrid cloud by setting up subnets (networks) inside each cloud restricting which server(s) in Cloud 1 can see which server(s) in Cloud 2.

Option: Traditional Networking & Security: VPNs, Subnets etc.

This involves setting up a VPN between two clouds (cloud to cloud or on premise to cloud). Setting up a VPN requires:

- Compatible hardware at both ends

- Opening up the corporate firewall to allow VPN traffic

- And, since the VPN is a hole in the corporate firewall, redesigning the corporate subnets

Effectively, traditional networking requires you to alter your existing corporate infrastructure (firewall etc.) and security policies (subnets etc.) and replace them with new network topologies and security policies. Additionally, there is also work to be done on the cloud side to configure VPNs and program VPCs or subnet like equivalents.

Also, for each new hybrid cloud project in the enterprise and for every new cloud service provider added to the network some or all these steps need to be repeated until the enterprise has completely bought into the hybrid cloud model and has fully built into one or more clouds of their choice. At this point the enterprise is also locked into a single provider(s) which may not be in their best interests.

Option: Overlay Networks

This is a relatively new approach which has, as the name suggests, an ‘overlay’ control plane or fabric. However, it uses the existing physical networks as the data plane (the network through which data packets actually flow). So, if you have a high speed physical pipe from your corporate network to AWS or an ExpressRoute to Azure your packets will flow through these pipes. And, just like VPN overlay networks also encrypt data packets.

Overlay networks should not be confused with SDN. SDNs are very different and, additionally, are confined to a single data center/cloud installation. Overlay networks can be a single fabric that can span multiple clouds/data centers.

Overlay networks are creditably more versatile and secure as they are completely software based, offer granular server to server, server to subnet and subnet to subnet connections with clicks of a mouse and require no changes to the underlying infrastructure. You do not need to open firewalls, change subnets etc. You can simply designate which server(s) in the enterprise needs to connect to which server(s) in the cloud. You can do the same with subnets on the various nodes of your hybrid cloud. The security accomplished by subnets in traditional networking is achieved by the granular connectivity and whitelisting principles of overlay networks. Once a set of servers/subnets are brought into the overlay network fabric (and these servers could be in any public/private cloud, corporate data center, OpenStack installation and even Docker containers are supported) only whitelisted connections and servers are allowed. All other connections/servers are blocked. The overlay network sets up its own private IP addresses and for most practical purposes the servers in the fabric vanish from the public IP address space unless explicitly required by the user. This makes the technology one of the most secure in the industry today. Also, any server that is compromised is automatically removed from the underlying fabric.

To gain a deeper appreciation of the differences in the two approaches one should compare security changes while using traditional networking with those of overlay networks for hybrid cloud deployments. Using traditional networks requires changes to existing corporate infrastructure and security policies. Overlay networks do not require changes to existing infrastructure or security polices – they become simplified additions to or complement existing policies making them even more secure.

The limited upfront investment (no hardware, no changes to underlying infrastructure) make overlay networks very attractive for quick trials and phased roll outs to the cloud. They can be setup in a matter of days. Two other points to note – overlay networks prevent cloud provider lock-in. Additionally, the same technology can also be used for B2B connectivity

Read Also

Making Future secure Through AIML Technology

Making Future secure Through AIML Technology

Paige H. Adams, Group Chief Information Security Officer, Zurich Insurance Company
Framing the Global P2P Payments Platform Build vs. Buy Debate for Financial Institutions

Framing the Global P2P Payments Platform Build vs. Buy Debate for...

Rebecca Mann, SVP, Global Head of Enterprise Partnerships Commercial Development, Western Union
Don't let hackers ruin your company's brands

Don't let hackers ruin your company's brands

Elisa Cooper, Head of Marketing, GoDaddy Corporate Domains
Looking Beyond the Digital Front Door

Looking Beyond the Digital Front Door

Tom Barnett, Chief Information and Digital Officer, Baptist Memorial Health Care
Leading to compete in the digital world

Leading to compete in the digital world

Manesh Prabhu, SVP & Chief Technology Officer, People’s United Bank