Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and...

15
Top 10 Tips for Deploying Hybrid Cloud Networks GUIDE

Transcript of Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and...

Page 1: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

Top 10 Tips for Deploying Hybrid Cloud Networks

GUIDE

Page 2: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

IntroductionToday, more organizations are transitioning to the cloud than ever before. Simultanously, more cloud providers, as well as third-party technology solutions, are launching their own cloud services and offerings. Though strategizing for multicloud and hybrid cloud networks can be overwhelming, Pureport’s guide equips organizations with the necessary steps through the process to ensure a powerful cloud strategy that meets the organization’s business strategy.

Pureport’s Multicloud Fabric™ seamlessly orchestrates private connectivity to the top cloud providers, such as Amazon Web Services, Microsoft Azure, Google Cloud, Oracle Cloud, and IBM Cloud. Whether a multicloud, hybrid cloud, or multi-site network, Pureport’s Multicloud Fabric enables organizations to securely deploy cloud connections within minutes, and without the need for additional physical infrastructure.

Because of our expertise in both cloud technology and services, the Pureport Team fully understands the key areas to evaluate before picking a path to the cloud. This eBook will guide organizations through their journey to the cloud, and highlights the fundamental requirements and decisions to make prior to moving to the cloud. The order of these tips may vary based on each organization’s requirements and goals, but this guide provides a starting point to prepare your team for its journey to the cloud.

Page 3: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

A critical component of any organization’s cloud journey is how much cloud networking expertise their staff possesses. Because cloud environments rely heavily on orchestration and automation, network skill sets are often found in the DevOps team, or even the development organization.

When considering cloud migration, companies must understand the capability of their networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to leverage cloud-like tools to spin up infrastructure resources.

Analysis of Team Skill Sets 1Tools such as Ansible and Terraform can automate many typical infrastructure tasks, and are often integrated via APIs into network orchestration platforms such as Pureport’s Multicloud Fabric. It is critical that an organization’s staff not only use these tools, but also actively seek opportunities to build cloud-like automation into their networking elements. Gone are the days of six-month networking projects—instead, agile cloud networking is here to stay. Companies now expect the infrastructure and networking that connects them to the cloud to be as fast as the cloud itself.

Page 4: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

With multiple design patterns and architectures available, choosing the right technology to provide connectivity between hybrid and multicloud architectures can be challenging. For cloud-to-cloud connectivity, the primary option is a VPN solution using virtual firewalls, but few private connectivity options exist that also leverage native cloud provider connectivity. According to the Rightscale State of the Cloud report1, enterprises use, on average, more than four cloud service providers to support their business needs. In order to match the pace of this digital transformation to the cloud, network infrastructure must be flexible and agile. Currently, limited options exist for privately connecting all the cloud services an organization uses—and most options depend on traditional infrastructure such as private lines or VPN appliances. However, Software Defined Networking (SDN) is emerging as a promising trend, as it provides the flexibility and scalability needed to speed up cloud adoption and transformation.

If a multicloud strategy is not the right choice for an organization based on its requirements, branch office connectivity is another key option to consider. Because internet cloud connectivity can incur security risks and performance issues, private connectivity between branch offices and the cloud is ideal, and a similar option should be used when connecting multiple

Connectivity2clouds together. As compared to VPN solutions for cloud-to-cloud connectivity, Multiprotocol Label Switching (MPLS) can be cheaper than outfitting every branch office with security gateways, but unfortunately, MPLS provides a poor user experience when backhauling traffic to regional data centers or hubs. Because of this, many organizations turn to SD-WAN solutions, but these are not without their drawbacks, either. To effectively deploy SD-WAN, dual internet circuits are a must—luckily, these have become the default for connectivity.

Additionally, full-mesh can provide direct connections between clouds and branch offices, but this also requires dedicated security infrastructure to maintain the VPN tunnels. According to Cisco, “When the number of nodes in a full-mesh topology increases, scalability may become an issue—the limiting factor being the number of tunnels that the devices can support at a reasonable CPU utilization.”2 Full-mesh can also complicate the management of all devices and connections without a robust control-plane. Many security appliances are also licensed based upon the number of tunnels on a device, which can be cost-prohibitive for large full-mesh networks.

1 https://www.rightscale.com/lp/state-of-the-cloud

2 https://www.cisco.com/c/en/us/td/docs/security/security_

management/cisco_security_manager/security_manager/417/user/

guide/CSMUserGuide/vpchap.html#pgfId-490223

Page 5: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

No matter the technology path, HA networks should be a priority for all cloud connections. For on-premises and data center connectivity in a hybrid cloud network using multiple physical circuits, and failover to VPN over dedicated internet access should be considered. If using virtual appliances, automatically handling failure and replacement can greatly improve network resiliency. Private circuits, when used, should also be redundant, ideally using multiple different carriers to prevent outages due to fiber cuts. And finally, just like the cloud and enterprise application architecture, it’s important to design for failure. All locations should have redundant equipment with automated failover. Leveraging Layer 3 connectivity services, such as BGP, can significantly improve failover scenarios.

DEDICATED SDN

DEVICE

AWS DirectConnect Location

DEDICATED SDN

DEVICE

Microsoft AzureExpressRoute Location

DEDICATED SDN

DEVICE

Google CloudInterconnect Location

Customer’s Corporate Datacenter

Customer’s Corporate O�ce

Customer’s BranchO�ce

SD-WAN Controller

Connectivity (cont’d)2

Page 6: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

Integration with Existing Applications and Deployments 3

In a perfect world, all existing applications and deployments can be immediately migrated to the cloud, or can be rewritten from scratch to best utilize cloud resources. Unfortunately, however, this is rarely the case. In practice, organizations must migrate existing applications to the cloud over time, or leave them in place and then integrate new cloud-based applications with existing deployments, leading to a hybrid cloud or multicloud architecture.

The Pureport Team has outlined several key items to consider when deciding how to integrate applications deployed across different clouds or data centers, such as:

1. How frequently will data need to be transferred between the applications (e.g., real-time, hourly, daily)?

2. If real-time integration is necessary (e.g. pulling from an online database), what are the latency requirements (e.g., <1ms, <10ms, <100ms)?

3. How much data needs to be transferred between applications each day?

4. Do security requirements need to be considered to ensure data is protected in transit?

5. What happens if connectivity between applications is dropped or degraded? How much downtime is acceptable?

If latency and cost are not critical to the workload, it may be acceptable for applications across clouds and data centers to be geographically separated, and to use the public internet for transmitting data between them. However, in many cases, bandwidth, cost, and latency requirements demand that on-premises and cloud-based applications are deployed geographically close together and utilize private networking to ensure consistent bandwidth and latency.

Page 7: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

When moving applications to the cloud and/or adopting a hybrid or multicloud strategy, new security concerns can arise, especially if operating in a highly regulated industry, such as finance or healthcare. Over the years, major cloud providers have worked hard to add technical solutions and processes to help meet the most rigorous compliance requirements, allowing nearly all industries to move their workloads to the cloud. However, Pureport believes organizations must perform their own due diligence, as well as develop the right architectures to ensure their applications remain secure and compliant when moving to the cloud, or splitting across multiple clouds.

To facilitate this due diligence, consider the following list of questions most organizations need to ask when moving to the cloud:

þ Does the cloud provider meet the necessary compliance requirements (e.g., HIPAA, SOC2, PCI, etc.)?

þ Does the specific service offered by the cloud provider meet the organization’s compliance requirements?

þ Will data be encrypted at rest?

þ Which employees at the cloud provider have access to the organization’s data?

þ How can the cloud provider help prevent attacks against the application?

þ What Identity and Access Management (IAM) functionality does the cloud provider offer, and how can this be mapped to the organization’s existing management tools?

Network Security4With a multicloud or hybrid cloud deployment, a few additional things should be considered related to data transit between cloud deployments, such as:

gg Will data be encrypted in transit?

gg Will anyone have access to the organization’s data in transit between clouds?

gg Is it safe to use the public internet with VPN tunnels, or is fully private networking required?

In general, it’s best to adopt a zero-trust policy when transmitting data across private or public networks, where the organization takes responsibility for end-to-end encryption at the application level. With the adoption of TLS to secure HTTP-based APIs, this happens automatically as part of the HTTPS protocol, but if a workload isn’t using HTTP to transmit data, other options exist for encrypting the data in transit, including IPSec, TLS, SSL, and SFTP.

With the proper safeguards and processes in place, moving applications to the cloud or multiple clouds can be just as safe (or safer) than hosting them on-premises. This is especially true when taking advantage of the native security-focused offerings from the cloud providers, such as DDoS mitigation, web application firewalls, monitoring, data encryption, and IAM policy management.

Page 8: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

Historically, when organizations only required compute and storage from the cloud, choosing a cloud provider was fairly easy, and usually resulted in selecting a single provider. However, now that the number of cloud providers has increased, and each has differing service offerings, the choice has become more complex—plus, it often ends in compromise if trying to stick to a single provider.

The good news is that emerging tools can help organizations utilize multiple cloud providers without introducing extra complexity or costs—tools such as Terraform for multi-cloud DevOps, Kubernetes for service orchestration, and Pureport for multi-cloud and hybrid cloud networking. Now, organizations have the freedom to choose the right cloud provider for each application or workload based on their specific needs, without any compromises.

Right Cloud for the Right Need 5Even though cloud providers and services continue to evolve, it’s still important to review several key areas when selecting a cloud provider for a given application:

þ Does the cloud provider offer specific services—such as voice recognition, video transcoding, or machine learning—required for this application?

þ Does the cloud provider meet the compliance needs for this application?

þ How much will it cost to host this application with the cloud provider?

þ If moving an existing application to the cloud, will this application be able to run unmodified using the services offered by the cloud provider?

Page 9: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

One of the biggest reasons for moving workloads to the cloud is to get away from procuring and managing hardware, so that organizations can scale up nearly instantly without purchasing new hardware. However, when it comes to hybrid or multicloud deployments, it’s often still necessary to purchase and manage networking hardware for on-premises data centers or cloud interconnection facilities in order to support the connectivity that the workloads require.

For example, in order to interconnect AWS and Microsoft Azure using their native private connectivity offerings (AWS Direct Connect and Azure ExpressRoute), organizations must:

1. Purchase at least two physical routers (for proper redundancy).

2. Deploy the two routers into a cabinet within one of the co-location facilities where AWS Direct Connect and Azure ExpressRoute are both available.

3. Have four cross-connects from the colo provider along with internet access for remote management.

4. Configure a router to peer with the cloud providers.

For the equipment alone, this scenario can cost as much as $25,000 in up-front costs, as well as around $2,500 per month for the power, space, and cross-connects.

Hardware Requirements 6Alternatively, organizations can use the public internet for transport between AWS and Microsoft Azure where VPN tunnels are established between the providers using either their native VPN option or a virtual VPN appliance on both sides. However, per-GB transfer fees for internet-based connectivity are expensive, and do not come with performance guarantees.

Instead, multicloud networking platforms like Pureport’s Multicloud Fabric platform offer on-demand, private interconnection without the need to deploy any physical hardware. This approach leverages the best of both worlds: low-cost, high-performance connectivity without the fees and headache of additional hardware.

Page 10: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

When adopting a multi-cloud or hybrid-cloud strategy, it’s common to interconnect existing cloud or site networks that were previously disparate from each other. This could be due to one of the following reasons:

þ Integrating applications deployed across two public cloud providers (multicloud).

þ Integrating applications deployed across private and public clouds (hybrid cloud).

þ Deploying applications to a public cloud that will be accessed by multiple branch offices (multi-site network).

Sometimes, existing networks will have overlapping subnets, and this usually occurs when branch offices are still using a default subnet assigned by their router such as 192.168.1.0/24. To avoid routing issues, these overlaps must be addressed before the existing networks can be interconnected.

Identify Overlapping IP Addresses7

In the past, subnets were re-assigned for each existing network—a painful process, particularly when numerous existing workloads depended on the currently assigned IP addresses. Pureport’s Multicloud Fabric offers much simpler IP address resolution through its Cloud Grade NAT functionality, which can be enabled by simply checking a box on each connection to an overlapping network. This allows overlapping networks to be interconnected without changing any native IPs or subnets.

Page 11: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

When implementing workloads across multiple clouds, several considerations must be made. Whether implementing a high availability(HA)/ disaster recovery(DR) strategy, or taking advantage of services that only exist in another cloud, choosing the geographic location of a new cloud location is a crucial decision.

1. Organization and end user proximity should be considered when expanding into multiple clouds. By leveraging geographic location, content delivery networks, and latency-based routing, an organization can direct its end users to another cloud deployment closer to their physical location, thereby improving the user experience of the application(s).

Security and compliance decisions are also closely tied to the previous example. Due to data sovereignty laws across the globe, deploying into a cloud within a specific country may be required. In order to keep user data within a specific cloud, organizations may have to be directed to the closest geographical location.

2. Teams should review and understand costs such as data transfer and software licensing. While shifting workloads to the cloud can save money, software licensing costs can become a hidden, but significant, cost. For example,

Consider Geographic Placement of Clouds 8

several major database software vendors have a different pricing model when running their products in the cloud. Some even provide steep licensing discounts when running these products within their public cloud offerings.

3. The services a cloud provider wants to offer in varying locations can also drive the decision to choose a particular location over another. Some products and features offered by a single cloud are not available within all geographical locations. If an organization has very specific requirements, these criteria can narrow down the list of possible locations.

4. The final item to consider—whether expanding to multiple public clouds, a hybrid cloud, or multiple private clouds—is how to connect them together. Options include leveraging VPN over the public internet, via private connectivity, or via SD-WAN and MPLS, a more sophisticated choice.

Page 12: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

When moving workloads to the cloud or adopting a multicloud strategy, it’s important to plan for—and attempt to minimize—data transfer costs. Most public cloud providers do not charge for public ingress transfer (transferring data to the cloud), but they do charge per-GB for public egress transfer (transferring data from the cloud). Most cloud providers also charge per-GB for traffic that flows between regions across the provider’s backbone.

Pureport has provided three sample scenarios with estimated transfer costs to illustrate the variations in spend between public and private connectivity options. To minimize egress transfer costs, organizations can use one of the private connectivity options offered by various cloud providers and typically billed at a significantly lower rate. For example, AWS charges $0.09/GB for public egress transfer over the internet, while charging $0.02/GB for private egress transfer over a Direct Connect circuit.

Bandwidth Profiles/Traffic Flows 9

Scenarios Using Public Connectivity Reduced Rates Using Private Connectivity

Data back-up from an on-premises location to the cloud Backing up data from an on-premises location to the cloud is a popular option due to its low cost and the proven reliability of cloud storage. In this scenario, nothing is paid for data transfer since data is flowing into the cloud provider.

Data back-up from an on-premises location to the cloud The costs for this scenario would remain at zero when using AWS Direct Connect. However, because this scenario bypasses the public internet, it also takes advantage of guaranteed bandwidth and latency.

1

2

3

Data back-up from the cloud to an on-premises location Another popular scenario is data back-up from the cloud to an on-premises location, especially for DR scenarios. Between logs, video, voice, and image content, the cloud application will generate an estimated one TB of data per day, all of which must be backed-up. In this case, the monthly egress transfer costs would total $2,700 per month, based on following formula:

30 days x 1000GB x $0.09/GB = $2,700/month

Nightly transfer from Public Cloud A to data lake in Public Cloud B Transferring data between two public cloud providers is similar to transferring from the cloud to an on-premises location. Data must flow out from one cloud and into the other, and typically, transfer charges are only paid to the provider out of which the data is flowing.

For example, a front-end application is running in four different regions of Cloud A, each generating 200GB of logs that need to flow into a central data lake running in Cloud B. The egress costs would total $2160 per month, based on the following formula:

30 days x 4 regions x 200GB (logs per region, per day) x $0.09/GB = $2,160/month

Data back-up from the cloud to an on-premises location

30 days x 1000GB x $0.09/GB $0.02/GB = $2,700/month $600/month

Nightly transfer from Public Cloud A to data lake in Public Cloud B

30 days x 4 regions x 200GB x $0.09/GB $0.02/GB = $2,160/month $480/month

Pureport makes it easy to take advantage of these savings by offering on-demand connectivity to, from, and between the public cloud providers via lower-cost, private circuits. Additionally, Pureport charges based on allocated bandwidth per hour, which allows organizations to pay for only the bandwidth that is needed.

Page 13: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

Understanding the implications of software licensing agreements is important when moving workloads to the cloud. Pureport recommends organizations focus on two key areas: location restrictions and back-up strategies.

1. Will the software vendor allow licenses to be used in locations outside of the customer’s premise or data center locations? Many software vendors have Bring Your Own License (BYOL) programs that allow for license portability in public cloud environments, but some of these programs have recently been curtailed. Due to the competitive nature of the public cloud space, some software vendors have significantly increased the cost to use their software license in another vendor’s cloud, or ended their BYOL programs altogether.

Licensing102. Is there an agreement between the cloud

provider and the software provider? What are the terms, and what is the expiration date of the agreement? It is critical to understand the implications of BYOL in any new cloud migration, particularly as it relates to the license’s potential termination.

Similarly, preparing an exit strategy can also be helpful. If it becomes cost prohibitive to leverage a BYOL in a cloud environment, what options exist for either transitioning elsewhere or leaving the agreement? Considering other options can facilitate a smooth transition, should the current solution become untenable.

Page 14: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

Leveraging multiple clouds is a common DR strategy that can prevent outages due to complete failures within a cloud region as well as data loss due to human error, or natural disaster. While standard RTO/RPO considerations need to be addressed, the cloud can improve user experience while simultaneously providing a DR strategy. For example, deploying a hot site in another cloud hosted 2,000 miles away creates an opportunity to direct users to the nearest deployment, which can reduce latency. When combined with scaling automation (a fully vetted back-up and recovery procedure, and intelligent traffic routing) multiple clouds allow for a complete loss within a geographical region by automatically scaling up another site to accommodate the increased traffic load. Stable, fast connectivity between two or more locations ensures data is replicated between multiple clouds.

Bonus Tip: Back-Up/Disaster Recovery (Multicloud for DR purposes)

11As a minimum, Pureport recommends running multiple instances of an application within a single location and leveraging load-balancing between them. All public cloud offerings provide a managed load-balancer service, as well as a mechanism to replace failed machines within an application stack.

Page 15: Top 10 Tips - Pureport · 2019-08-06 · networking team. Network-focused DevOps engineers and developers will need to work with new orchestration paradigms, and should be able to

Organizations of all sizes can get started today building and deploying multicloud, hybrid cloud, and multi-site networks with Pureport’s Multicloud Fabric platform. Visit https://console.pureport.com to create an account and begin deploying cloud networks in minutes.

To learn more about Pureport’s platform, visit www.pureport.com.

12

About Pureport

Pureport’s Multicloud Fabric seamlessly orchestrates private connectivity to Amazon Web Services, Microsoft Azure, Google Cloud, Oracle Cloud, and IBM Cloud. Whether a multicloud, hybrid cloud, or multi-site network, Pureport’s Multicloud Fabric enables organizations to securely deploy cloud connections within minutes, and without the need for additional physical infrastructure. Pureport’s Multicloud Fabric includes a distributed multicloud router that enables connections between sites and cloud providers from the same network, and supports Layer 3, BGP Peering between them. Pureport’s Console offers a visual tool for self-service management of cloud networks, and reduces the administrative overhead and technical expertise often required when deploying traditional networks. Pureport charges based on allocated bandwidth per hour, which allows organizations to pay for only what is needed.

Bonus Tip: Build and Launch Cloud Networks Today

[email protected] | 919.261.6600 | www.pureport.com Copyright © 2019 Pureport | All Rights Reserved