By Saad Mirza and Shahzad Ali 

 

Have you been tasked with improving legacy network designs? Does your company use a cloud service provider (CSP) underlay network to build its cloud network backbone? 

 

If this sounds familiar, our new Aviatrix Certified Engineer (ACE) Program course – Cloud Backbone and Hybrid Connectivity – may be for you. 

 

With a growing sense of urgency, network admins, engineers, architects, and technology leaders are frequently seeking a clear path and approach to gradually improve the old, MPLS-centric, SD-WAN type on-premises network data center and branch designs. This typically means using the CSP underlay network to build their enterprise cloud network. 

 

Here we’ll explore some of the biggest challenges organizations encounter as they work to build their enterprise cloud network – material that we tackle hands-on in the ACE Cloud Backbone and Hybrid Connectivity training. 

 

What is an Enterprise Cloud Network? 

 

An enterprise cloud network is modern and programmable, providing cloud backbone and cloud-delivered hybrid connectivity. It offers the necessary features, functions, and operational framework to operate essential business applications in a public cloud environment. It is a cloud-defined private network infrastructure built on the shared public cloud footprint. This private network infrastructure is agile and programmable. It follows the cloud operating model principles and can be consumed as-a-service. 

Cloud Network Reference Design 

 

Unlike SaaS-type networking solutions, a true enterprise cloud network allows organizations to own their networks’ governance, control, management, and data plane. It provides a more elegant and agile operating model to control an enterprise’s cloud, multicloud, and hybrid-cloud network (on-prem DCs, colocation facilities, branches, partners, etc.). 

 

What is the Cloud Network Backbone? 

 

At the core of the enterprise cloud network is the cloud network backbone. A cloud network backbone provides a resilient, secure, and high-performant connectivity model which allows enterprises to seamlessly connect multiple cloud regions to critical resources across native cloud networks (VPC/VNet/VCN), on-prem resources, partners, B2B, and users. The cloud network backbone is the core layer of your cloud network, providing visibility, telemetry, and policy enforcement for consolidated, consistent networking and security. 

 

Challenges in Building the Cloud Network Backbone 

 

Enterprises are experiencing the challenge of designing, deploying, and operating a modern, scalable, agile cloud network infrastructure. This is evident among the early cloud adopters and enterprises embarking on the network modernization journey today. The following section discusses some of the main challenges enterprises observe that contribute to inefficiencies and gaps that adversely impact enterprise business. 

 

Organizational Challenges 

 

In many large organizations, technical teams remain isolated in separate units. Cloud teams often own all aspects of cloud infrastructure, including applications and associated in-cloud networking. The network team is considered an advisor for in-cloud networking and only owns the cloud on-ramp (aka connectivity from on-prem to cloud). This results in the native CSP connectivity construct (such as AWS Transit Gateway, Azure Firewall or vWAN, GCP NCC, etc.) becoming a shared entity where the networking team connects the on-prem network. Still, it is owned by the cloud team. 

 

This scenario poses several challenges: 

1.  No team has a complete view of the networking landscape. The cloud team knows about their side and VPC/VNet/VCN. In contrast, the network team only knows about the on-prem side with limited visibility to native cloud connectivity constructs. 
2. CSP connectivity constructs offer minimal traffic engineering and route scale, making it difficult for networking teams to offer redundant and high-performance secure connectivity. 
3. The network team must rely on on-prem telemetry and diagnostics, significantly increasing MTTR. 
4. Many cross-functional team resources must be involved during change windows and incident calls. This unnecessary cross-functional team dependency increases cost and complexity. 
5. Multicloud poses still more challenges as teams struggle with the complexity of managing different native transits that are essentially black boxes. 

 

Technical Challenges 

 

Let’s discuss technical challenges you would encounter with legacy approaches to building cloud networks. 

 

• Increased Cost and Latency: Cloud networks built using only native constructs are sub-optimal designs. These designs increase cost and complexity, resulting in disjointed security, increased latency, and poor visibility. 
• Single-Pane Network View: Cloud-native network services are built and offered extremely molecularly. Each sub-component needs to be individually configured and managed. Each component has its console and troubleshooting dashboard, only accessible to account owners. It means there could be more than a dozen consoles open, in most cases, to deploy, manage and operate the cloud network. This also results in any individual lacking a comprehensive network view. 
• Route Scale and Control Limitations: CSP native routing constructs provide limited scale and control. Also, each CSP offers different limits and features, making a consistent network impossible. Enterprises must carefully architect their routing designs, often resulting in an over-engineered solution.  

• Firewall Service Insertion Complexities: Insertion of firewall services is complex in the cloud. It requires carefully carved networks with extensive route manipulation to steer traffic to firewall. Many organizations have firewall services in the cloud and on-prem that increase cost, latency, and on-prem dependency. It hurts the enterprise’s vision to adopt cloud-based network modernization efforts. 
• Siloed SD-WAN/SASE Connectivity: Connecting SD-WAN/SASE to the cloud is also done in a manner that creates more siloes. The problem aggravates when disparate on-prem devices with varying technologies connect to cloud resources. The inconsistent behavior of these on-prem devices creates operational challenges and unnecessary FTE resources. 
• Slow Onboarding: Overlapping IP and segmentation (VRF) support is a common requirement during M&A, partner onboarding, and B2B connection to the backbone. Cloud-native features and tools do not simplify or support these features as expected by the enterprises, so projects are often delayed due to the increased complexity of implementing such solutions.   
• Inefficient Internet Breakout: Internet breakouts using on-prem DMZ, firewalls, or MPLS breakout solutions are rigid, expensive, and add additional latency. This is challenging when the cloud applications need internet connectivity or connectivity to SaaS services. 
• Inconsistent Automation: In the absence of common management and control plane, enterprises are forced to use different automation frameworks and languages to provide a network as a service in a programmable fashion. 

• Broken Segmentation and Limited Encryption: Due to limited native encryption performance, these sub-optimal networks are built without end-to-end encryption, which increases the security risk and makes them prone to man-in-the-middle type attacks. 

 

So, What is the Solution? 

 

The solution is a cloud-first approach. Instead of shoving the on-prem cloud operating model into cloud, it’s about extending the cloud operating model to on-prem locations. 

On the technical side, this approach provides the features and functionality practitioners need to support the infrastructure. On the organizational side, it reduces the multi-team dependency on change controls and incident response. Organizations can act efficiently and optimize their resources with clear lines of demarcation in roles and ownership. 

 

Introducing a New Specialty Training 

 

Aviatrix has created a new specialty training in our ACE Program to dive into this topic and its solutions more deeply. The ACE Cloud Backbone and Hybrid Connectivity course talks about a typical existing design opted for by many enterprises to provide region-to-region or cloud-to-cloud connectivity. The training then discusses a journey or phased approach enterprises can take to enhance their existing design without disrupting applications and their connectivity to the existing cloud-native services such as AWS TGW/Cloud WAN, Azure vWAN, or GCP NCC. 

 

Sign up here to learn more from the experts who have helped many enterprises achieve a modernized enterprise cloud network. Or, get in touch with us to discuss your specific needs.