Many enterprises have moved some, if not all, of their data center resources to Amazon Web Services (AWS), while countless others are considering a move. The benefits of doing so are very appealing. AWS offers a vast suite of cloud-computing services that provide large, scalable computing capacity more quickly and affordably than an enterprise can build it themselves.
AWS spans nearly 100 services including analytics, compute, database, mobile, networking, and storage.
Enterprises are choosing AWS for one or more of following reasons.
- They want to eliminate on-premises data centers or to decrease their IT footprint. Data centers require extensive infrastructure and specialized well-paid staff.
- They want to establish a hybrid cloud to keep their data centers and to augment connectivity or resources by renting public cloud services in order to scale up or down as needed.
- They want to leverage the global presence of a cloud platform located in all major world geographies.
However, moving to AWS presents a number of challenges.
1. Maintaining User Experience
Typically, when data centers connect to AWS they do so through encrypted IP tunnels leveraging IPSec technology. Secure, yes. Efficient, not so much. IPSec tunnels are typically provisioned from centralized data centers, which increases application latency and boosts the demand for data center network bandwidth.
Application latency rises because an enterprise has to backhaul network traffic. This typically happens from remote locations to centralized data centers through the wide area network and on to IPSec tunnels in order to reach AWS hosted resources. At the same time, data centers must also increase network bandwidth in order to accommodate this additional backhauled traffic .
Both higher latency and insufficient bandwidth can adversely impact application performance.
When enterprises move resources to AWS, they must maintain the experience users have come to expect from data center-based applications.
2. Achieving Resiliency
In addition, enterprises must pay special attention to maintaining resiliency and service availability for applications and workloads hosted in AWS.
AWS provides two methods for achieving resilient connectivity into customer virtual private clouds (VPCs). One is active/standby secure IPSec tunnels terminating on two redundant AWS virtual private gateways (VGW). The other is a combination of a secure IPSec tunnel into VGW with an AWS Direct Connect service that builds a private circuit from the enterprise network into AWS VPC.
Leveraging IPSec tunnels is convenient, however the active/standby nature of such connectivity and the failover times may not be adequate for all enterprises. It also makes it challenging to efficiently utilize all available bandwidth.
The combination of IPSec tunnels and AWS Direct Connect offers active connectivity and full bandwidth utilization. However, it complicates routing of traffic across both paths.
3. Implementing Network Segmentation
Implementing security, including network segmentation, when moving resources to AWS, should be a primary concern.
Regardless of the kind of network segmentation mechanism being used in a data center — VLANs, VRFs, VXLAN or all of them — extending it to AWS is not easily accomplished.
For most enterprises, segmentation is not optional. Especially in industries that are governed by regulatory mandates for segregating sensitive information, such as confidential data, financial transactions, and patient healthcare data from other types of traffic. Migrating applications and data to AWS makes it difficult to maintain segmentation from private on-premises data centers to the cloud.
4. Centralized Monitoring and Operations
A large majority of enterprises rely on monitoring tools to manage availability and performance of their data center elements, such as applications, workloads, networks, storage, etc.
While some of these monitoring tools may still be used for keeping tabs on resources in AWS, this approach often results in fragmented visibility between on-premises data centers and AWS environments. Meanwhile, monitoring tools and mechanisms available in AWS do not extend into enterprise environments and wide area networks.
Disparity between on-premises, AWS tools, and operating procedures makes single pane of glass monitoring virtually impossible.
To address these and other challenges, enterprises should consider alternatives for integrating AWS cloud data centers into the rest of their environment. This includes paying particular attention to the integration of AWS connectivity into the enterprise wide area network in a robust, secure, and feature-rich manner.
This can be accomplished using legacy technologies, but will introduce significant operational complexity. As an alternative, organizations can consider adopting new technologies that offer ready-made solutions for solving cloud migration challenges like software-defined wide area networking (SD-WAN).