Hybrid Cloud Architecture on AWS- Network Perspective
What is Hybrid Cloud ?
“Hybrid cloud is a composition of two or more clouds (private, community or public) that remain distinct entities but are bound together, offering the benefits of multiple deployment models. Hybrid cloud can also mean the ability to connect collocation, managed and/or dedicated services with cloud resources.” — Wikipedia
A theoretical and scientific definition that basically comes up from all the search engines.
Although to a novice, Hybrid cloud is nothing but an application running on a combination of platforms viz on-premises Data Centre or any other cloud provider and part of the application utilizing resources from the cloud or vice versa.
So, the question arises as to which cloud provider should we decide on?
The explanations while choosing the Cloud Provider should be that it gives ease of exploring and simple to use at the same time along with flexibility. And, well AWS provides these both.
But before migrating your workloads on Cloud, take a step back and find answer to the following questions:
- Why do I need to move to the cloud?
- What is my use case? Is it helpful to moving on AWS?
- Is it fulfilling all my requirements?
After you have considered the above then you can settle on really utilizing AWS services to its potential and architect the Network on AWS.
Architecting a Network
- Current Network architecture
While moving any app or part of the app on cloud on-premise network architecture should be considered foremost. A strategy should be defined wherein communication with the AWS Services is possible while creating a Hybrid architecture. It is mandatory to do so considering the changes to be done on on-premise networks for at least two years.
- Ways of connecting with AWS
To connect with AWS services following options are available:
Hardware VPN — This is Site to site IPSEC VPN provided by AWS
Direct Connect — This is Dedicated line from AWS to On-Premises Data Centre
3rd Party Solutions — A large number of third-party solutions are also accessible on AWS Marketplace while connecting to AWS.
- Creating Virtual Private Cloud (VPC) on AWS
Subsequently determining the no.of VPC’s required, create a separate VPC for each environment. If the network requirement consists of to focus on the CIDR block of each VPC that is created, one also has an option to peer the VPC.
While selecting the CIDR block of that will connect with the on-premise network using AWS based connection solutions one should consider not to select a CIDR block which is overlapping with on-premise network CIDR block. This helps in while considering a 1 year period use case wherein on-premise data center should be connected to AWS Cloud.
- Creating Subnets on AWS
There are two categories of subnets available in AWS Cloud namely Public Subnet and Private Subnet. By default subnets of the same VPC are able to communicate with each other without any restrictions.
Difference between Public and Private Subnet
A single route table also known as default route table is by default specified in a VPC with the implicit association of all the subnets. A different route table can also be explicitly associated with a subnet. Each subnet can only have a single route table but not vice versa, therefore, if a route table displays the below entry that means the associated subnet is a public subnet or else in case the below entry is missing in any route table the associated subnet is a private a subnet.
Target: igw-xxxxx (igw-Internet gateway)
- Security between Subnets and within VPC
AWS provides two inordinate security features- NACL(Network Access Control List) and Security Groups.
NACL or Network Access Control List delivers security on Network level but one should also make a note that AWS NACL’s are stateless. This means that the responses to allowed inbound traffic are subject to the rules for outbound traffic and vice versa which can likely stop traffic between two subnets that is in contradiction with the usual behavior of the subnet. So, make sure that you are using NACL in the right manner to avoid frequent updates in rules of NACL.
Security groups on the other end act as a firewall to the servers and deliver security at the host level to make changes and open any ports on the fly without making any changes inside the host/Server/EC2. Implicitly everything is denied in security group to allow only specified ports from the specified location.