The adoption of cloud is accelerating, and focus is moving to hybrid and multi-cloud migration strategies. This approach allows organisations to choose on an application by application basis, considering which environment fits their needs best; private cloud IaaS, public cloud IaaS, SaaS or PaaS.
However, many enterprises do not consider the internal estate and how the on-premise architecture also needs to adapt to the cloud. There are three considerations that Hutchinson Networks recommend organisations should consider when optimising internal environments for public cloud.
- Cloud connectivity requirements over the Enterprise WAN.
- Infrastructure security beyond the perimeter firewall.
- The key ingredients in building a true private cloud.
Cloud Optimised WAN
The enterprise WAN has, until recently, been a mixing pot of transport technologies – Dark Fibre, L2 and L3 Ethernet, Frame Relay, MPLS and Internet VPN. This gave System Administrators the flexibility to engineer complex bespoke solutions to meet the specific needs of their business (or not, depending on the quality). These solutions are often expensive, demanding considerable bespoke engineering (QoS, redundancy, WAN acceleration and encryption), and offer poor service, with little or no optimisation for cloud.
Another key consideration in Enterprise WAN is Internet breakout. For many organisations, Internet breakout has been centralized, typically through a head office or data centre, allowing for centralised security policy and cost-savings on local circuits. As cloud applications are accessed over the Internet, consumers at branch offices are increasingly subjected to additional latency and low bandwidth links.
As such, the following guidelines should be considered when architecting a modern enterprise WAN:
- Local Internet Breakout: This provides a shorter route to SaaS, IaaS and PaaS services based in the cloud.
- SD-WAN: SD-WAN provides organizations with otherwise inaccessible functionality such as transport independence and ZTD (Zero Touch Deployment). Additionally, many SD-WAN vendors have optimised connectivity to cloud services as well as optimal routing for IPSec VPNs.
- Cloud Transit: To secure high bandwidth in cloud environments, companies should select a provider such as AWS Direct Connect, Azure Express Route or FabrixOn-Net, enabling them to connect directly to a port on their network fabric.
- High-Speed Internet Pipes versus Thin Private Circuits: Combining local internet breakout with SD-WAN means that Internet-based IPSec VPNs are now a viable alternative to private circuits for critical traffic like voice. Enterprises should strongly consider the high costs of private circuits compared with the relatively low cost of high-speed internet pipes.
When defining security architecture for hybrid and multi-cloud, enterprises should consider the following.
- Federated Single Sign-On: Using solutions such as F5 APM (Application Policy Manager), organisations can federate user authentication across the internal estate, as well as a range of SaaS, IaaS and PaaS solutions.
- Endpoint Security: As the endpoint moves with the user, host security becomes vital. New solutions, such as Cylance go beyond traditional anti-virus and anti-malware to provide protection at the host level.
- Cloud Security: While local internet breakout can provide performance benefits, it also presents a challenge, as security policy can no longer be centralised in a data centre. Solutions like Cisco Umbrella can tackle this problem by applying URL filtering and providing anti-malware at the point of DNS resolution.
- Anti-DDoS: With ever-larger botnets, the frequency and scale of DDoS attacks are steadily on the rise. When these attacks target Internet circuits, they can impact users’ access to cloud services. The most effective way to protect against DDoS attacks is from within the Internet core, using cloud security services such as F5 Silverline.
True Private Cloud
Private cloud is a key component part of hybrid and multi-cloud. I have previously written about how only 10% of internal IT workloads represent true private cloud and in fact, most simply provide virtualisation. A true private cloud will also involve infrastructure automation, a user self-service portal and utilisation-based billing.
Below are some technologies that organisations should consider when designing private cloud platforms.
- Infrastructure APIs (Application Programming Interfaces): APIs enable administrators to programmatically configure infrastructure using orchestration tools or languages such as Python, REST and ANSIBLE.
- Software Defined Infrastructure (Network, Security, Storage): Software-defined or centralised controller based infrastructures provide a single point of configuration for each component. When combined with northbound APIs, they radically simplify automation within private cloud environments.
- Orchestration Engines: To fully realise the benefits cloud computing can offer, enterprises need to consider orchestration engines. These products will automate the individual elements of the infrastructure (network, storage and compute), collect infrastructure inventory, provide billing information and in some cases also provide a user self-service portal.
- DevOps: Enterprises can close the digital skills gap in their organisation through nurturing in-house DevOps skills, giving them the flexibility to customise or even develop custom automation, billing, and frontend self-service tools.
Hybrid and Multi-Cloud strategies are not just about public infrastructure. Enterprises must consider the implications for their private environments too. Organisations have to think through their cloud optimised WAN, security beyond the perimeter and private cloud automation\orchestration as part of their Hybrid and Multi-Cloud strategies.