Enterprise cloud usage has evolved at a stunning rate, and now, the proliferation of workloads across multiple...
cloud platforms has created new networking challenges.
A multi-cloud network poses a multidimensional problem. There's physical connectivity, whether it's public internet links with a virtual private network (VPN) overlay or private circuits to each provider. There's also logical connectivity that links private, on-premises network address schemes, configurations and L7 services to a cloud service. And finally, there are security policies, which extend data center network access control lists, user/group identities, content filtering and data loss prevention controls to multiple remote networks.
It's a daunting list that's not easy to implement, even with cloud network services, such as AWS Direct Connect, PrivateLink connections, virtual private clouds (VPCs) and virtual network services. Amazon VPCs are necessary for complete control over an AWS environment's network configuration and security, but they only work with AWS.
The other cloud providers offer similar services -- such as Microsoft Azure Virtual Network and Google Cloud VPC -- but it isn't easy to stitch them together to form a single, virtual, multi-cloud network. Third-party virtual network overlays, such as Aviatrix, Cisco ACI Anywhere and VMware NSX Data Center, fill this void via software-defined networking (SDN) and an external controller that can manage traffic and policies across multiple private networks and VPCs.
Multi-cloud SDN features
Aviatrix, like other SDN providers, uses an overlay network to create a logical virtual layer atop other physical or virtual networks. The additional abstraction layer supports logical networks, which facilitates the design of complex, multiregion, multi-cloud topologies, along with programmable management automation.
The service uses a familiar design to separate network control from data. A central controller -- which can be redundant for high availability -- with gateways connects to existing networks, including individual Amazon VPCs, internal private data center LANs or external private networks. The controller handles network provisioning, configuration, logging, monitoring, traffic routing and overall management. It can run on private systems within an organization's data center or as an Aviatrix managed service.
Aviatrix Gateways supply the control plane hooks to access the underlying networks and provide endpoints for the encrypted VPNs that the controller establishes. Each connected network can have multiple load-balanced gateways for redundancy and scalability, and Gateways have user-based access controls and multifactor authentication via Active Directory, other Lightweight Directory Access Protocol providers and third-party identity services, such as Google's OpenID, Duo and Okta.
In addition to physical data center LAN connections, Aviatrix supports AWS, Azure and Google Cloud, as well as VMware -- including NSX Edge Gateways -- and Nutanix, including its Calm management interface. It supports client access from a PC with its CloudN application, which also works on virtual desktops, such as VMware Workstation and Oracle VM VirtualBox.
Aviatrix can insert virtual network services into various points of a multi-cloud network, too. These include an L4 stateful packet inspection (SPI) firewall and egress traffic filter that can whitelist and blacklist various ports to particular sites or wildcard domains.
Enterprises can deploy this virtual network overlay in a variety of scenarios, notably:
- Data center-to-cloud for a global transit network that stitches VPCs from multiple regions and different cloud providers into a unified fabric;
- Cloud-to-cloud for direct, encrypted connections between VPCs from different regions on the same cloud or on different cloud platforms;
- Multi-cloud peering that stitches network layers across AWS, Azure and Google Cloud into a single logical network that admins can manage from a central console;
- Site-to-cloud VPN, which is similar to the data center scenario, but connects remote sites to a cloud VPC or SaaS provider. This emulates the functionality of a software-defined WAN or edge VPN service and provides added access control and network security for SaaS or other hosted applications;
- User-to-cloud VPN as a VPN gateway for client connections to various cloud VPCs; and
- Enhanced cloud network security with the SPI firewall and fully qualified domain name traffic filter to control access and traffic on particular VPC network segments.
There are other third-party tools to build and manage a multi-cloud network, including VMware NSX Data Center and NSX Cloud, which can extend on-premises VMware virtual networks to internal non-VMware bare-metal systems, along with AWS and Azure. Enterprises can deploy NSX on internal systems or via VMware's Cloud service.
Cisco ACI Anywhere also connects data center LANs and multiple cloud platforms to form a unified network fabric. Several network-as-a-service providers, such as Aryaka, Datapath.io and Infradata, also have some, if not all, of Aviatrix's capabilities.
Most large telcos sell cloud connection services, including AT&T NetBond, Verizon Secure Cloud Interconnect and CenturyLink Cloud Connect. Enterprises only concerned with high-speed, private, physical-layer connectivity to multiple cloud services might find these sufficient.
AWS options for a multi-cloud network
AWS has a few services to facilitate the implementation of complicated, multiregion, hybrid cloud network designs, including VPN CloudHub, PrivateLink and Transit VPC. The latter most closely resembles the Aviatrix service but has several drawbacks.
Transit VPCs are complicated to set up and manage and require a sophisticated understanding of network routing and security protocols. Network admins must carefully design around subnetting, address spaces and routing. This becomes even more challenging when dozens of VPCs in different regions are linked into a unified, hub-and-spoke network.
Transit VPCs' topology creates bottlenecks because it requires two hops to route traffic, each of which incurs network egress charges -- from the originating VPC and then through the Transit VPC. It also relies on a full-mesh network design that peers each VPC to every other, even though an organization may want to isolate some VPCs, such as those that send data to an external business partner.
AWS PrivateLink can deploy cloud-to-cloud VPNs that connect an organization's native services to a third-party SaaS, but that SaaS app must be hosted on AWS, since PrivateLink uses an elastic network interface to connect each party's VPC. One advantage, however, is that PrivateLink keeps all network traffic on AWS circuits without traversing the internet. VPN links are secure, but they can't match the throughput or latency of AWS' internal network.