Cloud & Multi-Cloud Networks and Security
Networking is one of the key (if not the most important) foundations and enablers for hybrid and multi-cloud architectures. If the Network layer and all the associated components are not designed and implemented correctly you can end up with an; insecure, latency ridden, expensive, siloed and complex environment. Simply doing what you have always done on-premises for Networking and Security does not work in a hybrid and multi-cloud context. There are a myriad of design decisions, layers and options for clients to choose from. Cloud Solutions Group delivers best of breed solutions to help our clients solve these problems:
Identity and Access Management
Identity and Access Management is another challenge as each cloud provider (IaaS, PaaS and SaaS) has their own authentication platform and you don’t want to end up with a scenario where you have to authenticate with different credentials to each cloud.
This makes Single Sign On mandatory as well as a risk, because if your identity is compromised the hacker can access all of your environments.
Therefore, Cloud Solutions Group offers solutions such as Multi Factor Authentication, Role Based Access Control and Conditional Access that are critical to protect your Identity. There are several excellent third-party solutions that we Partner with that solve this problem.
DNS
DNS is another challenge. Each public cloud has their own DNS solution which can lack features compared to on-premises Active Directory and other third-party solutions.
The challenge is how to integrate the public Cloud DNS services seamlessly with your private DNS, so you're not doing a lot of DNS forwarding and your DNS name resolution works seamlessly across the Cloud and your Data Centres.
There are several third-party solutions that Cloud Solutions Group partners with that solve this problem and most of them bundle DNS, with DHCP and IPAM(DDI). If you are moving to a hybrid or multi cloud architecture, we recommend implementing a centralised DDI solution together with the cloud native ones. In some cases, it can be best to just use a central solution. It is different for each client.
Business Continuity and Disaster Recovery
Resilience and Disaster Recovery are done differently in the Public Cloud.
Things we take for granted on-premises like Virtual Machines accessing shared storage, which enables features like HA, V-Motion and Fault Tolerance- do not exist in the public cloud. This makes resilience within the network architecture even more important.
Dependent on the business needs of each application, we need to architect layers of availability and resiliency across all your environments and clouds. This includes architecting for:
· Multi Availability Zone resilience,
· Having subnets that can span across Availability Zones,
· Ensuring that your Load Balancers are Availability Zone resilient,
· Deploying Virtual Machines across Availability Zones so you can easily failover.
Cloud Solutions Group implements Cloud Architectures with each of these layers in mind.
Automation
Automation is really important, and you should be provisioning using Infrastructure as Code tools and automating as much as possible.
Automation also makes cloud governance easier. This is because you can track and allocate spend to the right cost centres in your organisation.
If you are using only 1 Public Cloud, we would implement Cloud native tools, as they will be easier to automate than third party tools, as the tooling and API’s are more seamless and integrated. For Multi-Cloud designs we use tools like Azure ARM templates as they work across different clouds and on-premises platforms.
Contact us when you are assessing your options and need assistance designing the most optimal networking and security architecture for your Hybrid or Multi Cloud environment.
SD WAN
SDWAN also has a place in a Multi Cloud architecture.
It is easier to deploy SDWAN if you're only connecting a few sites but when you reach a certain threshold, the number of subscriptions you need to purchase, and costs will increase.
However, SD WAN is fantastic for bonding cheap links together and providing QoS and Failover across lower cost links. Cloud Solutions Group works with the best of breed SD-WAN vendors which have solutions that integrate with the Public Clouds both for SaaS and IaaS as well as vendors from which you can consume SD WAN as a Service.
Connectivity to the Public Cloud
There are 3 main options for secure connectivity to the public cloud that we offer our clients depending on their requirements:
1. VPN connections
Using IPSEC tunnels over the internet is the most cost effective and simple option and can be a good solution in use cases where:
You have an application that is not latency sensitive.
You are not transferring large amounts of data over the VPN tunnel.
You are only connecting 1Data Centre to 1 or 2 Public Cloud Data Centres.
2. Direct connections
Solutions like Azure Express Route and AWS Direct Connect are great as they give you a dedicated network connection from your on-premises Data Centre or Co-Lo directly into the Public Cloud. These can scale up to 100Gps of performance!
This suits use cases where your applications are latency sensitive and you need to transfer a lot of data over the network for things like; backup and disaster recovery replication and for communication between applications that can be spanned across on-premises and the cloud or applications that need to talk to others that are in different locations. These connections make the cloud appear like an extension of your on-premises data centre.
3. MPLS WAN
While MPLS is costly, it is better than a VPN from a performance perspective, as it is private and can be used in conjunction with a Direct Connection, which can give you the best of both worlds.
Security
For security in a hybrid/multi cloud environment we suggest using a combination of native and third-party solutions, for Firewalling, IDS and IPS we use native tools as much as possible.
You can deploy virtual copies of your on-premises firewall in the cloud but be careful not to create a chokepoint for your traffic by forcing it all through the firewall.
You still need some third-party tools, as things like Layer-7 security are tough to get in the public cloud and security teams are used to using their on-premises firewalls to solve this problem. Doing SSL termination for Deep Packet Inspection (DPI) can create performance issues as it's not practical.
Some DPI is needed for traffic going to the internet. You don’t want to do it for all traffic as it can create performance issues, so we work with our clients to overlay granular policies when we implement this.