How can enterprises integrate their wide area network (WAN) with Internet cloud services or cloud computing services that use public Internet connections? Most enterprises use the Internet routinely to support
For businesses already using the Internet as their WAN, making their cloud service connections via the Internet may be the best choice. Where more stringent service-level agreements (SLAs) are required, another option is to add your cloud provider directly to your private WAN. This is covered in my previous article on how wide area networks intersect cloud services. The choice between private and public Internet cloud service connections is a classic cost/benefit tradeoff based on security, availability and some specific integration issues and options.
If your company uses Internet VPNs to access your data center, then adding Internet cloud services is largely a matter of making the cloud accessible in the same way. VPN clients on virtually all computers and appliances will essentially disconnect the user from the Internet, so the cloud will have to be a part of the VPN.
Most Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) clouds will support SSL VPNs, so the primary integration issue is addressing the cloud applications. If the cloud and your data center both support applications in a load-sharing or backup sense, then you will either need to use a directory/redirection feature (DNS, UDDI) to switch users between cloud and data center, or make the Internet cloud service appear as a server option under your data center load-balancing switch. Backup and load-balancing techniques you use in your own data centers will likely serve you best.
If your workers are on your company WAN, then access to the Internet will be regulated by a gateway. That means that accessing cloud services over the Internet will be possible through that gateway, and you can presume that your own security and firewall procedures will protect your WAN side of the connection. However, the Internet cloud service provider’s side would also need to be protected. Again, IaaS or PaaS services will normally let you install security services/firewalls on your machine images, and the provider may also offer some security. Except for PaaS providers that may offer a full range of security services including even virus scanning, Internet cloud service provider security will typically be confined to firewalls or encrypted VPN service connections. If you want more, it’s best to add them on your own.
Many, or even most, applications that you might run in the cloud will also need access to data normally stored in the enterprise data center. Interprocess connections used with workflow or service bus technology and storage networking in any form create back-end connection requirements that bypass normal application sign-on security. That makes it doubly important to secure these paths. SSL VPNs are less likely to be suitable for these missions than the facility-to-facility IPsec VPN.
You may have IPsec VPNs in use already for branch connectivity, and a similar approach can be used to connect your could provider. There are excellent IPsec VPN appliances that create these site connections and also provide firewall protection. However, they often require a device at each end, and your Internet cloud provider would have to cooperate to use them. Check with providers of VPN appliances to see if they have server-side software available, or look for a software-only solution.
Your next issues are availability and performance, and it’s important to remember that these aren’t entirely Internet access issues; recent outages on public cloud services illustrate that the cloud infrastructure itself can fail. Still, enterprises report that the largest source of problems with public cloud applications is the Internet connection. They also report that it’s far more common to have significant performance degradation than a total failure of connectivity, and if the degradation is bad enough, it can reduce productivity nearly as much as a total outage. Remember that Internet service is inherently best-effort, and that may be an issue for some applications, particularly in companies used to negotiating SLAs for their enterprise WAN services. Internet SLAs are difficult to obtain and normally almost meaningless if cloud application traffic has to cross provider boundaries.
Your own gateway location may also make a difference in performance. While most enterprises would likely think of connecting their Internet VPN gateway at the data center location, there may be several such locations, and there may also be other on-ramps to your WAN that you should consider. The first step in this optimization is to see if you have one or more sites with the same ISP used by the Internet cloud provider. In nearly all cases, this will offer you the best Internet performance. Where you don’t share a provider, you can test the quality of the Internet path to the cloud from each of your candidate gateway sites using common tools like ping or traceroute. You’re looking for the path with the lowest delay and fewest hops; that will normally perform best and be the most reliable. You’ll also need to consider the cost of providing any additional capacity between the selected site and your enterprise WAN; the cloud connection is likely to increase traffic to the gateway location.
Remember that no matter what you do, an Internet connection to a cloud provider will never be as secure, as available and as performance-stable as your WAN is overall. A separate wide area network and cloud services guide is available on actually extending your private WAN to the cloud if Internet-class security, performance and availability isn’t enough to meet your needs. Also be wary of spending too much on managing best-efforts communications and cloud services. In most cases, application availability and basic problem isolation tools are all that will be justified.
For more information, see our cloud computing tutorial for WAN managers.
This was first published in June 2011