Warning: Beware of Traditional Networking Tools for Cloud Networking
As you expand your public cloud presence, your cloud networking challenges increase exponentially. Unfortunately, relying on traditional networking technologies such as virtual routers (vRouters) as you scale into the cloud is not the wisest — or the safest — approach. In fact, enterprise and cloud teams choosing vRouters, or other virtualized versions of traditional networking equipment, might find that their decision puts their entire enterprise cloud operations at risk.
That’s because networking in the cloud is fundamentally different from on-premises datacenter networking. The cloud is all about agility, flexibility and speed, while networking within a private datacenter environment is the opposite of agile: It’s linear, solid and static. In AWS, as enterprises add more and more virtual private clouds (VPCs), often scattered across geographically dispersed regions, they are increasingly moving to a global transit architecture as an Amazon Web Services (AWS)-sanctioned approach.
It takes a few minutes to provision compute and storage in a VPC, but networking from an on-premises network to that same VPC might take weeks or even months. The on-premises IT networking experts must process tickets internally and build required routes to VPCs. This methodology is how IT networking has always managed change control—yet it’s very foreign to cloud engineers with completely different timing expectations. In the hybrid cloud, virtualized traditional networking becomes the choke point that delays cloud projects and risks their failure, while making the cloud team look bad.
Essentially, there’s an impedance mismatch between a) the agility of cloud compute and storage and b) the lack of cloud networking agility that is built when using traditional networking technologies.
Choosing the Right Tools
IT networking experts that run on-premises datacenters tend to be highly skilled, highly certified specialists comfortable with the protocols, processes and hardware required for establishing secure, reliable datacenter network connections. They live and breathe things like command-line interfaces (CLIs), Border Gateway Protocol (BGP) and router summarizations.
When approaching the public cloud, most IT networking experts take their on-prem networking architecture, tools, and processes and try to map them directly onto the cloud. But applying a “datacenter networking” mindset only overcomplicates the cloud.
Conversely, cloud operations and DevOps experts focus on optimizing and automating operations at the application and services levels. Moving at cloud speeds, they are accustomed to treating infrastructure as code—but they have trouble applying that concept to cloud networking. They rarely have either the deep networking skills or the patience for mastering the complex, hardware-centric, and mostly manual security policies and CLI-based routing configurations needed for traditional networking technologies.
Cloud and DevOps teams would like to automate networking processes just like they now automate cloud compute and storage, but the use of vRouters—essentially virtualized instances of on-premises routers—precludes the real networking automation that cloud teams expect.
The fundamental mismatch between IT networking and cloud teams cannot be bridged by force-fitting traditional networking technologies into cloud environments, expecting the older-generation technologies to magically function as cloud tools. Instead, a new kind of networking connectivity is required that’s built specifically for the cloud. What’s needed is software-defined networking in the cloud.
This would enable enterprise cloud teams to make the cloud connections they need nearly instantly, without having to descend into, for example, the CLIs or BGP of the IT networking world. BGP is complicated and requires deeply knowledgeable CCIEs to implement and troubleshoot potentially hundreds of BGP sessions in AWS.
Modern, software-defined cloud networking offerings allow the best of both worlds: compatibility with existing BGP implementations on-premises, but simplified via software-defined routing in the cloud. By publishing BGP routes to the required VPCs automatically, purpose-built cloud networking solutions enable cloud teams to be more self-sufficient while freeing IT networking teams to focus on their on-premises datacenter networks.
What Purpose-Built Cloud Connectivity Looks Like
All of this entails a redefinition of what ‘networking’ should be in the public cloud. In addition to traditional routing capabilities, effective cloud networking must also include automation of underlying functionality—such as native peering, VPC creation, and connectivity with on-prem networks—plus easy and real-time visibility for optimization and troubleshooting of cloud operations.
Such cloud-generation networking would treat networking as code, using APIs native to each public cloud platform to automate and simplify the process of making connections to, within and among various clouds. Eventually, “networking as code” will enable networking functionality to become part of the DevOps stack, available via automation and orchestrated in the same way as other DevOps tools.
Characteristics of purpose-built cloud networking include:
- A software-defined, software-only connectivity solution able to automate complex networking coding and processes, so that networking doesn’t require a network engineering veteran
- No changes needed to edge routing or security policies
- End-to-end encrypted management, monitoring, and troubleshooting, as well as end-to-end encrypted peering across VPCs in different regions, in different public clouds, and across various enterprise sites
- Full integration with AWS, Microsoft Azure, and Google Cloud Platform public clouds, along with other modern cloud tools
- Seamless interoperability between resources launched in the public cloud and on-premises resources
- Centralized, easy-to-manage visibility into, control over, and troubleshooting for all cloud-based resources, including those in on-prem private clouds—with comprehensive capabilities that include user tracking, logging and multi-account billing breakdown
- Micro-segmentation of the enterprise cloud network into multiple VPCs, with the ability to apply security and other policies to all applications across the cloud network, regardless of users’ locations or the devices they use
A cloud networking solution should embody cloud agility, provide flexible connectivity, enable radical simplicity, and be recognized by any DevOps, CloudOps, or cloud architecture expert as being of the cloud world.
The Low-Risk Bet
We’re often conditioned to think the safest approach is the incremental one that steps slightly ahead of the familiar and time-tested. For cloud networking, however, these instincts and conditioning do not serve us well.
Sticking with the leading legacy networking vendors is actually rather risky. Just as even the best designed, best-functioning automobile can’t be tweaked to become an airplane, traditional networks can’t be coaxed into working in our increasingly complex cloud environments.
Steven Mih is CEO of Aviatrix Systems.