Nearly every enterprise in the world has moved at least some of its computing resources to the cloud, seeking to cut costs, improve productivity, and scale resources up and down as needed. Ultimately, to accelerate time-to-market for its products and services.
For many companies, the hybrid cloud is the most popular choice. It uses a mix of on-premises, private cloud, and third-party public cloud services, creating an infrastructure where one or many touch points exist between the environments. The goal is to leverage services and data from different sources to create an automated, unified, and well-managed computing environment.
When companies deploy a hybrid cloud, most embrace some combination of Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS). Well-known IaaS platforms include Amazon Web Services (AWS) and Microsoft Azure, while common SaaS applications are Salesforce and Office365.
While the hybrid model can provide tremendous flexibility, the challenge of blending internal resources with external ones — without compromising accessibility, security, and quality of service (QoS) — is quite significant.
This challenge is being heightened by companies’ increasing reliance on SaaS solutions for just about every conceivable business application from office and messaging, to payroll processing, DBMS, network management, and so on.
The big question is: how can enterprise networks be optimized to support SaaS applications to meet both security and user experience requirements? To accomplish this, enterprises have three options: Direct Internet Access (DIA); backhauling all traffic to centralized data centers; and regional hubs.
They can also use a cloud routing platform to extend the key elements of their existing organizational wide area network (WAN) – policies, Qos and security — directly to the public cloud instance of IaaS.
Direct Internet Access
This is probably the most popular of the three. It provides high-speed symmetrical internet access over broadband links at each company’s location and is primarily used at remote sites.
When enterprises use DIA to offload traffic destined to public cloud service providers, they can significantly reduce load on their private WAN circuits.
The major advantage of DIA is that it gives users fast access to the SaaS cloud applications. Its typical downsides are lack of meaningful security and poor QoS controls.
To mitigate security concerns, an enterprise would need to install a set of infrastructure elements, such as firewalls, intrusion detection/prevention systems, data leak protection, and so on, at each site — all of which adds to operational complexity and high cost.
Alternatively, enterprises can subscribe to a cloud security service. In this model, cloud traffic is first forwarded from remote office customer premise equipment (CPE) to the cloud security platform, like Zscaler, for security policy enforcement.
Backhauling all traffic through one or more corporate data centers is the least efficient method for the cloud applications access.
Backhauling was widely adopted years ago when the vast majority of corporate computer traffic was intra-company data that flowed between the branch offices and the data centers. While backhauling still works well in this scenario, it does not have the high-speed performance required for optimal cloud applications quality of experience.
With this approach, user traffic destined to the cloud applications is backhauled from remote sites over private point-to-point or MPLS circuits, public VPN or hybrid WAN infrastructure to corporate data centers, where security policy is enforced before it is forwarded to the internet.
The major advantage of backhauling cloud applications traffic is consolidation of the security infrastructure in just the corporate data centers. This creates much fewer administrative touch-points and often results in overall lower costs. The most significant downside, as mentioned earlier, is the sub-optimal path between remote sites’ users and cloud applications accessible via the internet, which often results in a degraded user experience.
Cloud providers have worked hard to improve application performance through various methods — notably global DNS, geographical distribution of data centers, direct peering, and so on. Unfortunately, the rigid architecture of traffic backhaul tends to nullify the benefits of these methods.
This new architecture combines the best of both worlds — and provides the performance and flexibility needed to support the cloud-aware enterprise. It is based on deploying robust security controls at the regional hub locations and providing optimally selected SLA complaint path(s) across the hybrid WAN between remote sites and those regional hub locations.
Typically, regional hubs are geographically located in the relative proximity of the end user population, e.g. same metro area, same region, same country, or even same continent. The hubs are often set up at carrier-neutral facilities, such as Equinix, to directly connect with cloud applications providers and peer with regional and global carriers.
The major advantage of this approach is that it provides a strong balance between security, quality of experience, and cost. Regional hubs host security policy enforcement elements, such as firewalls, intrusion detection/prevention systems, data leak protection, etc. This eliminates the need to deploy security infrastructure at each remote site and in corporate data centers.
It also decreases the number of administrative touch-points and typically lowers costs, when compared to the DIA approach. At the same time, regional distribution of internet access points provides shorter and most often better performing paths to cloud applications, when compared to the traffic backhaul approach.
As enterprises continue to aggressively implement hybrid clouds, the need to provide robust connectivity between private and public compute environments becomes increasingly important.
High speed connectivity is now a minimum requirement for enterprises. As a result, many are turning their attention to extending organizational policies, security controls, and Qos ubiquitously across the hybrid environment. This is where cloud routing can help.
With cloud routing, enterprises can place virtual instances of their preferred router platform in public cloud IaaS environments, close to the hosted compute resources. This provides robust connectivity, strong security, and SLA-based quality of experience.
Cloud routing platforms can also be leveraged to tie together multiple public cloud IaaS instances allowing enterprises to expand their hybrid cloud footprint even further.