Rawpixel - Fotolia
Cloud-based WAN provider Pertino, whose Cloud Network Engine debuted last fall, is now claiming its service eliminates the need to use site-to-site VPNs to extend a virtual private cloud across a WAN. The new use case demonstrates that the SMB-focused provider may appeal to larger companies that struggle with the complexity of establishing VPN tunnels with providers like Amazon Web Services and Microsoft Azure.
"Normally when you want to create a private connection between two [providers' servers], the current state of the art is to deploy yet another virtual machine, which runs a Vyatta virtual router or some other virtual appliance," said Scott Hankins, CTO and co-founder of Pertino. "Suddenly you lose all the ease of use that comes with cloud computing. You're trying to configure subnets, you're address blocking, and you're figuring out routing and all your ACL policies."
Some cloud providers offer native VPN functionality as an alternative to running a virtual VPN appliance or router on a separate cloud virtual machine (VM). Amazon Web Services (AWS), for instance, offers optional VPN functionality with its Virtual Private Cloud service, but some engineers have complained that the feature is difficult to use.
Pertino's Cloud Network Engine is a global service that replaces the complexity of establishing a secure WAN with a point-and-click user interface. Customers can instantiate a WAN in Pertino's cloud, install Pertino's client software onto endpoints and authenticate them. Then end users all over the world log in to Pertino and get a virtual network with one local IP address space, regardless of their network connectivity.
Pertino's client software "manages the configuration of the network interfaces," said Hankins. "Once it authenticates with our back-end master controller -- an SDN control plane -- that control plane has global knowledge of what is configured for that particular network, what IP addresses are available and what subnet is supposed to be attached to it. It communicates that information securely with the new machines and creates a secure SSL connection."
Until now, most of Pertino's customers have used the service as an alternative to supporting remote connectivity for end users with VPNs. But some Pertino customers have found that the cloud-based WAN service vastly simplifies the process of creating or extending a virtual private cloud across multiple cloud providers and private data centers.
Nick Antone, director of information systems for Engineering Services Network (ESN), an IT and financial services provider for government agencies, discovered the virtual private cloud use case while testing Microsoft Hyper-V's failover capabilities on various virtual hosts that his company maintains across its network. Through experimentation, he found that connecting those hosts to his Pertino network made Hyper-V failover much simpler.
"Then I thought, can I do the same thing with the cloud?" Antone said. "So I spun up a Windows VM on Azure. I put the Pertino client on the VM and bam -- suddenly this [Azure VM] is talking to all the servers on our network around the country. It all appears as one big LAN on the system."
Antone realized that he could establish a virtual private cloud across multiple providers without using site-to-site VPNs, instead establishing connections with just a few clicks in the Pertino environment.
"In Azure I have to go through a bunch of crazy stuff to do a site-to-site VPN. But it's only one-way from Azure to your site's internal network. I have six full-time offices around the country. I need that particular VM to be able to talk to another one if the main site goes down. With Azure you can't do that natively. But I can spin up a VM, put Pertino on it and it's ready to go. I was able to take an [AWS] machine that I wasn't happy with, bring the disk image down, move it over and put it on Azure and the Pertino stack moved right with it. It didn't matter where it was. I don't have to worry about what provider I'm using. I can just build my VM on whatever platform I want, whether internal or external, and the users can connect to it from wherever they are."
Enterprises are emphasizing simplicity and elasticity when building cloud networks, and site-to-site VPNs support neither of those requirements, according to Bob Laliberte, senior analyst with Enterprise Strategy Group (ESG). In a recent ESG survey on private cloud adoption, rapid elasticity and universal network access with seamless connectivity into public cloud resources were the two attributes enterprises consider most important to their private cloud deployments, Laliberte said.
With Pertino, an IT administrator can spin up VMs in any cloud provider, such as AWS and Rackspace, and connect them to the corporate network with a couple of clicks, Pertino's Hankins said.
Instead of setting up a VPN gateway or router and configuring a virtual network inside a cloud provider, IT admins can install Pertino's network client on the VM in the virtual private cloud. Pertino will prompt the admin for network user credentials and then instantiate a host-based connection into Pertino's cloud network. Within the Pertino network, the admin can set up the connections among multiple instances within and across cloud providers, corporate data centers and end users.
To further simplify the process of connecting cloud-based VMs to a network, Pertino has published Puppet and Chef scripts that automate the installation and configuration of Pertino software on a cloud VM.
"Every cloud service is different," said ESN's Antone. "Why jump through hoops on Amazon, then jump through another set up hoops in Azure and yet a third set of hoops with Digital Ocean or Google cloud. If you've ever configured a virtual network in Azure, it's not that straightforward. And once you set it up, you can't change it. You need to delete it and start over again. With Pertino, I can give users access without having to play around with any of that particular provider's firewall or routing rules. It makes it easier to use these different clouds because I only have one network interface to think about."