Even though the cloud is scalable and flexible, you may quickly run into network limitations, such as a lack of network capacity. Cloud networking can make or break your entire cloud migration strategy, affecting your application’s performance.
Every team wants to operate and maintain apps seamlessly as they develop, scaling them on demand when needed. This is the holy grail of cloud computing. Only a strong network can make sure that your new cloud infrastructure is up for this challenge and will keep your business afloat.
Here are 4 expert tips to help you ace cloud networking and streamline your cloud migration.
1. Networking prerequisites
When migrating to the cloud, you’re likely to start by developing a Landing Zone – a scalable configuration that enables companies to adapt the cloud provider’s offering to their business needs.
Each of the three major cloud providers uses the concept of a Landing Zone.1
To create a useful and realistic Landing Zone, you need connectivity between the cloud and on-premises data centers. You can achieve that by establishing Layer 2 / Layer 3 connectivity, offered as a standard service by all cloud providers:
- Azure ExpressRoute,2
- AWS DirectConnect,3
- Google Cloud Dedicated Interconnect.4
Each of these services has an associated lead time.
To get started, you need to submit an order along with specific contract terms and a potential Non-Recurring Charge from your current network vendor. No matter which cloud vendor you pick, you need to establish connectivity between your current network and the selected cloud provider.
To shorten the usually long lead times, you can start your cloud migration Proof of Concept (POC) with an IPSEC site-to-site VPN (Virtual Private Network) solution. You can facilitate it by pairing the cloud network with your network.
Note: This is a temporary stop-gap measure until direct connections can be established. Once available, feel free to drop the site-to-site VPN.
2. Network planning and deployment
For a minimal Landing Zone deployment that gets your POC off the ground, you need to establish some basic network architecture and logical separation as part of a cloud migration strategy.
Cloud providers have their own terminologies for network groups. Microsoft Azure calls them VNETs, while Amazon Web Services (AWS) and Google Cloud Platform (GCP) refer to them as VPCs (Virtual Private Cloud).5
IP subnets
As part of your POC, you need to establish a core set of cloud networks, each with their private IP space. For example, the Landing Zone will have a specific network and associated resources specifically for the infrastructure team for Dev/Test/Prod.
As additional application blueprints are deployed for workloads, they will require separate private IP subnets and other network assets like DNS subdomains and TLS (Transport Layer Security) certificates.
All of this requires an IP Management (IPAM) solution that spans across all Landing Zone and potentially global networks of your company. The solution may be cloud specific or globally accessible as a vendor-neutral solution. Your infrastructure team might already be using an IPAM toolset to manage global private IP address ranges.
DNS domains
Each Landing Zone will also require a sub-domain that will be used to issue Fully Qualified Domain Names for Landing Zone services and any applications that require FQDNs for deployment. Cloud providers offer cost-efficient DNS management solutions:
- AWS Route53,6
- Azure Cloud DNS,7
- Google Cloud DNS.8
To stay vendor-agnostic, consider using third-party DNS providers such as NSOne, Neustar DNS, or Akamai DNS. NSOne is a modern, API-driven platform that you can easily integrate with an available Terraform provider.
TLS certificates
Another item your cloud migration strategy needs is provisioning TLS (formerly SSL) certificates. You provision them through a cloud provider certificate authority, or a third-party CA for private or public certificates.
For public and browser-facing certificates, you can use an open-source solution such as Let’s Encrypt. The service provides free and automated TLS certificates for use with public facing applications.
Regardless of which cloud vendor you choose, all DNS domains, IP subnets, and TLS certificates must be provisioned through Infrastructure as Code (IaC), without a separate system and interface for asset deployment.
3. Zero Trust network
For enhanced security, you need a Zero Trust Network Access solution. A good solution for this comes from Zscaler, an industry leader in zero-trust networking, and NordLayer.
The platform enables application-level, identity-aware proxies (Layer 7) to all connections between users and applications. This ensures that cloud-deployed applications are never exposed to the internet through public IP addresses.
Before users can use cloud apps, they have to connect through the Zscaler exchange and go through the authentication and authorization steps.
Figure 1. Zscaler zero trust exchange visualization, source: IT Wire.
The Landing Zone POC needs to ensure that the required Zscaler components are instantiated through IaC. This lets you get proper access for end users and administrative applications.
In addition to setting up the application connector, your company may need to check all traffic leaving any data center or cloud environment. Zscaler can be set up to use GRE tunnels to send traffic to the internet when the application connector doesn’t offer the performance or security visibility that is needed. The provider lists the configuration options in detail.9
As part of the Landing Zone POC, you can create GRE Tunnels to Zscaler and test the egress functionality for performance, durability, and security features.
4. Layer 3 – 4 firewall functionality
The separation and configuration of private networks (VNet in Azure and VPC in AWS/GCP) is mandatory for the proper separation of application and infrastructure networks. Your cloud migration strategy needs to include it.
You need to explicitly configure only the required peering connections. Strict security rules should represent the ports and protocols that can communicate across network boundaries.
You can use cloud-native networking tools to establish Layer 3 / Layer 4 firewall rules for network communication happening within the Landing Zone environment. At this point, you can use the principle of least privilege to identify open ports and protocols across the Virtual Networks.
However, if the Landing Zone will be connected to your corporate Software Defined Network (SDN), you need to take extra measures to ensure that all the traffic flowing into existing networks is properly inspected and all the corporate firewall rules are enforced.
It’s a good idea to install the corporate standard firewall appliance provided by Fortigate as part of the Landing Zone instantiation. You can create and configure the firewall appliance through IaC; it will ensure that all traffic flowing into the corporate network is fully inspected with firewall rules enforced.
Summary
Legacy networks limit cloud flexibility and on-demand scaling. Controlling application network paths across users and business needs is hard because old routing methods and other problems can slow cloud migrations. You may require an upgraded network architecture – perhaps using Software Defined Networking – to increase agility, network administration, and operating expenses.
Keeping in mind the four considerations we shared above will hopefully improve your decision-making process and make your cloud migration strategy smoother.
References
- [1] – For Amazon Web Services, check out this page: https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-aws-environment/understanding-landing-zones.html. For Google Cloud platform, see: https://cloud.google.com/architecture/landing-zones. For Micorosft Azure, have a look here: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/.
- [2] – https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/
- [3] – https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
- [4] – https://cloud.google.com/network-connectivity/docs/interconnect/concepts/dedicated-overview
- [5] – https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview; https://www.networkmanagementsoftware.com/google-cloud-platform-gcp-networking-fundamentals/
- [6] – https://aws.amazon.com/route53/
- [7] – https://azure.microsoft.com/en-us/products/dns/
- [8] – https://cloud.google.com/dns
- [9] – https://help.zscaler.com/zia/gre-deployment-scenarios
Leave a reply