This content is part of the Conference Coverage: Your passport to AWS re:Invent 2016

Untangling hybrid cloud network confusion

Amazon VPC is an essential piece of the hybrid cloud puzzle, enabling enterprises to control public cloud configurations while securely connecting to private data centers.

Security and control have historically been two of the biggest concerns that business executives and IT pros have had when contemplating the use of public cloud services. Nowhere is the issue more acute than with networking -- IT teams require the ability to control configurations within a public cloud infrastructure and secure connectivity to private data centers in a hybrid cloud network.

These types of network topologies can be complex. Applications are spread across systems in a multi-tier design, with each application layer having different security requirements. This means that systems must be isolated on separate network segments, which is not possible with stock cloud services.

Similarly, no matter how enthusiastically an organization adopts AWS, most will have legacy systems on premises in private data centers or in a colocation facility for quite some time. These systems must share data with cloud-based resources while firewall and router policies carefully control traffic.

Before fully embracing the public cloud, most enterprises need assurance that they can build and control complex networks for cloud-hosted applications. Likewise, they have to ensure that sensitive business information won't be openly transmitted over the internet. Because of this, Amazon created the Amazon Virtual Private Cloud (VPC), a virtual private network that provides design flexibility and control, along with the ability to securely bridge AWS infrastructure and enterprise data centers in a hybrid cloud network.

VPC vs. private cloud

Amazon VPC essentially enables an enterprise to build a private network; however, when paired with Reserved Instances, it creates a close facsimile of a private cloud. VPC provides an isolated network sandbox that gives AWS users complete control over network configuration, including subnet creation and addressing, route tables, network gateways and security settings. Subnets are private whether or not they have a network address translation (NAT) and a public internet gateway with a routable address.

Amazon VPC provides greater control over network settings than the default EC2 environment does.

With VPC, AWS users get a virtual router that creates multiple isolated subnets that can run AWS resources such as Elastic Compute Cloud (EC2), Elastic Block Store and Relational Database Service. VPC endpoints allow users to create private connections between VPC subnets and any AWS product without using NAT and an internet gateway. For example, an admin can access Simple Storage Service from an EC2 instance in a simpler fashion in a VPC, as it creates a VPC endpoint and defines which buckets, objects and APIs it can access.

Amazon VPC provides greater control over network settings than the default EC2 environment does. Amazon VPC offers:

  • The ability to assign static, persistent IPs to instances that remain after stops and restarts.
  • Support for multiple IP addresses per instance, including more than one network interface. For example, an instance can simultaneously sit in multiple VPCs.
  • The ability to change an instance's security group membership while it's running.
  • In- and outbound traffic filtering and support for access control lists on each EC2 instance.
  • Support for EC2 Dedicated Hosts and Dedicated Instances.
Amazon VPC, or the equivalent Azure and Google services, is a requirement for any organization that will deploy multiple applications with complex, multi-tier topologies in the cloud.

When paired with a Virtual Private Gateway, VPCs form the foundation of a hybrid cloud network. Similar to an internet gateway, which provides a publicly routable IP and path to external clients, a virtual private gateway links Amazon VPCs to remote data centers via an IPsec VPN. Gateways connect to a VPC virtual router and one or more customer networks using VPN endpoints. These endpoints can be virtual or physical devices, such as a Cisco ISR, Juniper SRX, SonicWALL Firewall or a Fortinet UTM appliance.

Connections between the VPC and private networks can be static, defined by a routing table or dynamic using Border Gateway Protocol (BGP). According to VPC documentation, if using "a BGP device, you don't need to specify static routes to the VPN connection because the device uses BGP to advertise its routes to the virtual private gateway. If you use a device that doesn't support BGP, you must select static routing and enter the routes (IP prefixes) for your network that should be communicated to the virtual private gateway."

Teaming VPCs with AWS Direct Connect

VPCs are a necessary complement to AWS Direct Connect, which provides a private physical layer network connection between AWS and an organization's internal infrastructure -- whether it resides in a private data center or a colocation facility. Admins can provision Direct Connect circuits over an existing Multiprotocol Label Switching WAN from a major telecom carrier.

Conceptually, using Direct Connect with VPC is the same as having an IPsec VPN over the public internet, but enterprises will experience better performance -- faster bandwidth (up to 10 Gbps), lower latency (usually much less than 10 milliseconds) and more predictable network quality. As with a VPN, Direct Connect circuits terminate on an AWS virtual router from which traffic can be sent to one or more VPCs based on static or dynamic routing policies.

VPN options from cloud competitors

Both Microsoft Azure and the Google Cloud Platform offer comparable services that allow enterprise IT to create multiple private virtual subnets with configurable routing policies, public internet gateways, NAT and support for VPN tunnels. Similar to AWS, both Azure and the Google Cloud Platform provide a virtual router that supports BGP for sophisticated dynamic routing policies between public and private networks. Thus, assuming the private side of the VPN termination is a router and not a simple VPN gateway appliance, both services will connect any private network to one or more virtual subnets in the cloud.

Recommendations and use cases

Amazon VPC, or the equivalent Azure and Google services, is a requirement for any organization that will deploy multiple applications with complex, multi-tier topologies in the cloud. VPC paired with a VPN and Direct Connect is necessary to establish reliable, secure links between cloud-based applications and on-premises resources such as databases, file stores or legacy applications.

VPC networking concepts should be familiar to any IT networking pro, so the primary learning curve involves understanding the cloud management console or command-line interface. Connecting a remote VPC with mission-critical enterprise networks, particularly when using BGP, is a nontrivial exercise. Admins should learn the basics, test frequently and use an abundance of caution before throwing the switch on a hybrid cloud network.

Next Steps

Pros and cons of using an Amazon VPC

Put a stop to AWS network issues

New AWS security tools thwart attacks on infrastructure

Dig Deeper on AWS network management