Helder Almeida - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Hybrid cloud challenges abound for AWS, VMware shops

The first hurdle of hybrid cloud migration is tricky enough -- then the rest of the hybrid cloud picture comes into focus.

Hybrid cloud challenges don't end with cloud migration -- in fact, they only increase as IT pros delve deeper into the intricacies of linking on-premises VMware environments with the AWS cloud.

From networking challenges to managing security across two environments to the way cloud computing itself disrupts corporate culture, hybrid cloud challenges are far-reaching when users look to integrate VMware and Amazon Web Services (AWS) environments together.

Networking and data gravity

It's difficult for networks to see eye-to-eye between VMware and AWS environments, though that may soon change.

One of the major issues connecting an on-premises VMware environment to AWS is the mismatch between VMware's layer 2 network access and AWS' focus on layer 3. Because AWS doesn't provide layer 2 broadcast domains between instances, the application developer or infrastructure team might end up modifying and managing IP tables to allow instances to communicate when they are moved from a VMware environment into AWS, industry watchers say.

This will remain a fundamental problem between VMware and AWS environments until integration between VMware's NSX software-defined networking and AWS sees the light of day; VMware previewed integration at VMworld 2015 but did not disclose a release date.

Maintaining a consistent IP space on both sides is also a hybrid cloud challenge.

Rent-a-Center, a rent-to-own retailer headquartered in Plano, Texas, has seen this firsthand. It now has a secure cloud interconnect product attached to its MPLS network that goes to Amazon, and a private connection that goes to vCloud Air, making both clouds extensions of the internal network.

The biggest part of using any type of cloud provider is thinking like a cloud, [and] that's the most difficult thing for people to come to terms with.
Jason McMunnchief cloud architect at Ditech

"That works fairly well," said Michael Conroy, director of TechOps for the company. "When we started doing it we were using VPN tunnels across the Internet, and that did not work well -- it was ugly."

Performance was a concern with VPN connections, as well as maintaining the IP space across that connection.

"VPN connections are just not suitable for that, and … every time we did it and tried to move a workload in or out, something had to change and it wasn't always the same thing," Conroy said. "It just wasn't a consistent experience."

Network bandwidth between an on-premises data center and a public cloud, such as AWS, is also problematic.

"Oftentimes we've gone into organizations where the clients want to be able to do push button migrations from one data center to another… and then they don't have any real network bandwidth or network agreements, or even a stable Internet connection," said Nirmal Mehta, senior lead technologist for the strategic innovation group at Booz Allen Hamilton Inc., an Amazon Premier Consulting Partner based in McLean, Va.

And finally, there's the matter of data gravity -- the speed of light and physics have not changed to allow data to move any faster between an on-premises data center and AWS, and sometimes it's impractical to move huge amounts of data.

"We have a large number of legacy systems, HPUX, AS400, some Oracle systems that are just not suitable for pushing out in their current form," Conroy said. "The integration points with those by definition then have to be on-premises; it makes it difficult, then, to pick up large portions of the infrastructure and move it."

Hybrid cloud security

VMware environments by definition allow IT administrators more control over the security of the entire infrastructure, while AWS operates under a shared responsibility model in which the customer only secures things from the operating system up. There are also different methods that each vendor uses to secure workloads, and it's often tricky to ensure the two sides offer equivalent security controls.

"We can guarantee more security in our own data center," said Alex Witherspoon, vice president of platform engineering for FlightStats Inc., a global data service company in the aviation space, located in Portland, Ore.

But in AWS, he has to get more creative because FlightStats doesn't run the infrastructure, Witherspoon said.

"We have to put security into the environment on top of that infrastructure and make it work," he said.

One example of the fundamental differences between AWS and VMware is the role of firewalls in the infrastructure. On-premises firewalls can have complex rule sets in which certain entities are either whitelisted or blacklisted. AWS Security Groups, meanwhile, use only allowed rules. Administrators can also set up Network Access Control Lists (NACLs) with both allow and deny rules.

While it's obviously still possible to secure workloads on AWS using VPC, Security Groups, NACLs and, as of this month, Web Application Firewalls, to understand and negotiate the differences between how AWS security infrastructure works and on-premises security works creates management overhead.

The question becomes how to manage both environments from an IT operations standpoint, without ending up in a scenario where there are two completely separate teams and sets of tools used, according to Ian Perez Ponce, an independent consultant who has worked for VMware as well as Zerto, a virtual data replication software maker.

Otherwise, the hybrid cloud environment creates double the work for IT staff, Ponce said.

Challenging corporate culture

Technical limitations can be overcome with time. But one hybrid cloud challenge that has remained stubbornly in place is the way cloud infrastructures fundamentally disrupt corporate culture and the way IT teams are set up today.

For example, at Ditech Financial LLC, based in Fort Washington, Pa., different teams manage resources in the AWS public cloud and a VMware-based private cloud. While the company could still be said to have a hybrid cloud overall, there are few tools in common use between the two sides.

"The biggest part of using any type of cloud provider is thinking like a cloud, [and] that's the most difficult thing for people to come to terms with," said Jason McMunn, chief cloud architect at Ditech. "The process we're using now is we're trying to get people cloud-friendly with a combination of internal and external [infrastructure], but we're really focused on mindset."

In the end, the biggest challenge is not really what type of cloud infrastructure gets set up, according to Booz Allen's Mehta.

"It's more the cultural changes that have to happen within an organization to adopt the real benefits of cloud computing," he said.

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter.

Dig Deeper on AWS tools for development