‘Major rework’ can sure sound daunting, but have no fear, the path forward is easier than you may think and the benefits far outweigh the effort.
Let’s start with how enterprises typically connect to external networks by talking about the most common external network—the Internet. When enterprises connect to the Internet, they are primarily faced with South-to-North traffic flows meaning that client traffic is exiting the corporate network out to the Internet and responding traffic is recognized and allowed back into the enterprise. In this scenario, routing is very straight forward, there’s the internal network space and everything else. Security is typically deny-all with a few exceptions which can be allowed over time. Simple default routes and NAT rules will often suffice and many enterprises have adopted firewalls for that task.
However, when looking at hybrid cloud and multi-hybrid cloud scenarios the situation has changed. Instead of predominately South-to-North traffic flows, hybrid clouds should see a more equal traffic flow from North-to-South. Applications from the cloud may now be initiating conversations back into the enterprise across a wide range of ports. When you involve more than one cloud and go full hybrid multi-cloud, you add in more North-to-South traffic flows and now potentially East-to-West traffic flows as applications in one cloud communicate with services from another.
As you can see, the routing and security needs are more complex and drive the need for reworking the network to meet these needs. The good news is that you as a network architect probably have already dealt with these kind of traffic flows before in your very own data center! A classic tiered data center saw the use of a routing/switching core to manage traffic between different zones and external clients as well as security and firewall services to protect each zone.
When building a hybrid and multicloud connectivity zone, think more of how a data center core would be designed as opposed to an Internet edge. Plan for multiple clouds (like data center zones) which will require an IP space design and the ability to route between these zones. A router or switch with enterprise routing features would be best suited for this task and keep in mind that the routing protocol of cloud providers is predominately BGP. Consider firewall placement to inspect and secure traffic much like you would between zones in an internal data center.
With the right equipment and right approach to designing your hybrid/mulitcloud connectivity node, it is now much easier, quicker, less expensive, and more secure to on-board the next cloud request from your business. As your team becomes more familiar with the process of adding a new secured cloud connection you may begin to explore how SDN, VNFs, and automation can accelerate your deployments and respond to business needs even more.
I’ve worked with companies who took this approach to interconnection right out of the gate and found that the learning curve was not as steep as they would have expected. I’ve also seen companies go at a slower pace and start with a secure cloud connection which looked more like the Internet edge design to get started; as time went on they added more routing functionality to the design and worked up to the more capable design. Every business has their own pace in getting there.
Very thorough paulmason -- appreciate it.
Choose a location
There are no forums in this space.