In the first part of this series about enterprise cloud services, we discussed the initial steps to building a private cloud network. In part two, we explore integrating public and private cloud services.
Even if you’ve decided to build a private cloud, you may still benefit from using public cloud services for certain applications or storage. If that’s the case, you will need to take measures to integrate public and private cloud resources and educate users about security issues.
What’s clear is that you can’t afford to ignore public cloud applications because employees will use them under the radar. Public cloud providers depend on the same disruptive approach that has been used in enterprise technology again and again: Novell departmental file servers augmented mainframe applications; Windows file sharing replaced Novell as the file serving platform; and even many Ethernet LANs were started as ad-hoc solutions to departmental problems. The lessons of all these scenarios: adopt, embrace and leverage change instead of fighting it.
Cloud services are no different. Even where enterprises fight public cloud services, marketing departments, for example, use Google Docs unofficially to coordinate and with PR agencies, and developers quickly adopt Amazon Elastic Compute Cloud (EC2) services if they find out IT is unwilling to install the software and libraries they need.
When public cloud services make sense: Unpredictable loads, storage
While it’s more cost effective to house large-scale, mission-critical applications on a private cloud, using public cloud services for small-scale tactical projects makes perfect sense, assuming you understand the risks and properly educate your users.
Amazon EC2 is two or three times more expensive than dedicated infrastructure if you need multiple high-end continuously operating servers. On the other hand, Amazon EC2 is an ideal solution for unpredictable loads. If the demand exceeds your expectations, you simply start more virtual machines and deploy global load balancing. This is called elastic load balancing in Amazon’s terms.
You can also use storage cloud services to reduce your Internet traffic: Amazon S3 and CloudFront can be used to implement a global content delivery network (CDN) and offload large downloads and media-heavy web pages.
Last but not least, numerous startups (including Nirvanix, which is resold by Verizon and Swisscom) offer remote file repository and backup solutions, allowing users in a global organization to share large non-sensitive files without overloading enterprise WAN links.
Unifying public and private cloud services
If you’re considering cloud-based computing and storage services it’s important to choose a public cloud that uses the same operating systems and application stacks that you use in your internal environment. Otherwise you won’t be able to offload the extra workloads to the cloud computing facilities or migrate the applications developed in a cloud platform into your internal data center once they become mission-critical.
In some cases, you’ll find out that it’s hard to replicate your internal application stack or development environment within a cloud offering like Amazon EC2 due to numerous and often under-documented dependencies. For example, it’s almost impossible to deploy Outlook Web Access in a firewalled environment because the list of connectivity requirements is unknown.
This should be a red flag that it’s time to rethink and simplify your application architecture. Instead of numerous layers of web services and a convoluted mesh of remote procedure calls, it might be possible to implement the same functionality with just the traditional three layers of web, application and database servers. Don’t forget that most very large web portals run on simple architectures, using a farm of web servers with a scripting language as the front-end and a large-scale database as the back-end.
If you offload small public-facing projects, you need little internetworking between the private and public cloud environments. For example, if you deploy a test web site on AWS, you can just do it over the Internet. However, if you want to move parts of your core applications to the public cloud, you definitely need a VPN to the cloud provider, tight security on their end and lots of bandwidth.
Once you can move applications into the public cloud, it would eventually be ideal to have a management console that could jointly manage interconnected private and public cloud resources. While there are many companies that promise federated cloud management software it’s hard to say whether any of these solutions are solid.
Automated provisioning between the two sets of resources is also something worth working toward. Currently, automated provisioning of disk space and applications is possible in both public and private clouds, and there is software that links the two, but again reliability has not necessarily been tested.
Public cloud security: educating users
Once you’ve decided not to ignore public cloud use, it’s important to educate users about public cloud security issues and how to use these services in the safest ways possible.
For example, end-users should not share highly confidential documents and should make regular local copies of their work. In fact, you could automate that back up for them. Also, users should not store confidential data such as credit card information in the public cloud. Finally, developers should not test applications containing highly-sensitive code on cloud-based servers.
About the author: Ivan Pepelnjak, CCIE No. 1354, is a 25-year veteran of the networking industry. He has more than 10 years of experience in designing, installing, troubleshooting and operating large service provider and enterprise WAN and LAN networks and is currently chief technology advisor at NIL Data Communications, focusing on advanced IP-based networks and Web technologies. His books include MPLS and VPN Architectures and EIGRP Network Design. Check out his IOS Hints blog.
This was first published in December 2010