Click to learn more about author Pete Johnson.
The triumvirate of the Data Center world has traditionally consisted of compute, storage and networking, so naturally Cloud Computing has been based on the same. Just as we saw in the private Data Center world, networking tends to lag the other two in terms of evolution, and that makes sense given that it acts as the backbone upon which compute and storage can scale by adding more physical hardware. But public Cloud networking is becoming increasingly agile, and with that has come more security options as the space matures.
All Public IPs, All the Time to Mimicking Data Center Networking
When public Cloud providers started, it was typical that they offered a very flat networking space consisting of VMs that all had public IP addresses. This made them very easy to connect to one another but relied entirely on port level security to keep them safe.
Later, the public Cloud providers offered networking segments and made public IP addresses optional, which meant you could do things like make a load balancer and a web server accessible to the outside world while protecting databases on different segments that had only private IP addresses. Inevitably that has led to traditional networking hardware vendors offering virtual editions of many of their firewall and routing products available on public Cloud marketplaces so that the same techniques of isolating traffic learned from corporate Data Centers could be repeated in the public Cloud.
VPNs and More Sophisticated Network Protections
As many companies have discovered, though, the trick isn’t necessarily in protecting networking traffic within a public Cloud, but the traffic that runs between a traditional private Data Center and a public provider. Taking a page out of the virtual router and firewall playbook, virtualized VPN devices sitting on either end of a private-public connection encrypts traffic and can be set up on redundant channels to ensure data flows. From Layer 7, where the application components sit, resources in the private Data Center appear as if they are on the same network segment as resources in the public Cloud when network engineers set up these VPN connections creatively.
What is beginning to emerge now, though, are more sophisticated networking protections based on the equivalent of sFlow or NetFlow data being made available by the public Cloud providers. This gives network administrators the ability to see source/destination metadata, and tooling is evolving to make use of this new information to do things like detect abnormal geographic sources for login requests. For example, if your development and operations staff are all in North America and suddenly your public cloud VMs have a rash of login attempts from Russia, that likely is a signal of an attack.
The Future of Fabrics
We started out with basic port level protections. That grew to include network segments protected by firewalls and strung together with routers. Further advances connected on-premises to Cloud with VPNs. More recently, more sophisticated networking data has improved protection techniques.
The thing is, public Cloud networking still has a bright future.
As Software Defined Networking (SDN), fabric-based approaches begin to take hold in the traditional Data Center (given the reduction in administrative overhead achieved with intent-based network configurations), it is only natural that those will eventually extend into the public cloud as well. Imagine a world in which a network administrator can span a fabric over a VPN-encrypted private-public Cloud connection and use the same tools to manage both from the same pane of glass. While we’re not quite there yet, that level of sophistication is on the horizon. In the meantime, we have a variety of proven techniques available for securing all aspects of a public Cloud network.