Cloud infrastructure is all about networking. While certain workloads can (and are) done offline, client access to those resources still require secure network access through authentication, integrity and availability. Private networking can be used as a valuable tool to assist in achieving these, by simplifying or enabling best practices. This post explores some of the ways in which these can be done to meet real business objectives.
In a traditional physical cluster, you would be mad to not use air gapped switches for internal networking between servers. The same can be said for cloud instances.
Communications between instances on the same organisation need not transit the internet. Aside from the cost involved in metered bandwidth use that cloud services charge, there’s the additional overhead of running connections over untrustworthy public connections. Private networking keeps traffic between instances local to your organisation’s private VLANs, which are typically enforced with access control lists (as with Joviam). The effect of this is isolated transit between instances you’ve connected to these private networks.
This doesn’t replace due diligence for security, such as the use of VPNs, SSH and firewalls, but is another layer of security for peace of mind.
On platforms like Joviam, you’re able to define multiple, custom private networks to be deployed with their own IP ranges, gateway addresses and subnet masks. With these, you don’t just have the ability to privately network instances across an organisation, you’re even able to segment out certain instances with their own private networks.
As an example, you could have one private network configured for communicating with your database server. In this case, instances not attached to this private network aren’t even on the right IP range to access it, let alone having credentials to authenticate.
Private networking lets you build out more complex topologies without having to outsource to other services or deal with the complexity of hybrid cloud deployments. Theoretically, you could take a series of physical servers, even the firewalls and dedicated UTMs (unified threat management) boxes and migrate them to the cloud with the same layer 2 network access they had on your previous physical network.
Another key and often overlooked aspect to security is availability. With multiple layer 2 private networks available for attaching to instances, everything from frame size to subnet addresses can be implemented depending on workload requirements. The result is the potential for optimised performance and availability of hosted services between instances, such as nodes in a Hadoop cluster.
Along with optimising for network performance, isolated traffic is simpler to monitor. By using a gateway instance and monitoring traffic to different ports, traffic can be more easily monitored, and risks mitigated with effective rate limiting on each connected private network. By ensuring only trusted connections from a limited set of peers can occur over certain private networks, the origin and patterns of traffic are easier to discern.
This gives more visibility into your cluster at any one time, and can greatly assist in isolating and mitigating potential security issues.
With a private network or networks between instances, deploying a VPN is a snap. With a network appliance instance acting as a VPN gateway, remote clients can access all the instances on the private network without further configuration. For customers wanting to segment further, different private networks can be deployed and VPN credentials issued to further limit access for certain end users.
Where a fully blown VPN isn’t required, even an sshuttle [sic] or SSH gateway can be used to similar effect.
As touched on in several points, layer 2 private networks are free to deploy and use. Whereas other platforms would require you to pay for transit between the internet and your firewall, then again to your Windows Server; Joviam only charges for the initial public transit. This means complete, isolated private networks can be deployed without double dipping, so there’s no cost overhead to secure your infrastructure.