I’d love to hear some thoughts on how to implement effective egress control using DNS-based policies. Each ‘knob’ for control seems to each have deficiencies, Route53 firewall, AWS NFW 80/443 filtering using SNIs, and Suricata rules each have capabilities, but also have gaps…
What is the real use case where a DX/DirectConnect to AWS or a similar offering for other public clouds is needed versus the usual IPsec+BGP VPN access over the Internet?
Deploying applications in colocated data centers and multiple regions of multiple cloud providers:
Lets say an organization has global presence and has multiple physical POPs globally to serve their regional/local needs. Think of these POPs as min DataCenter across the world, with server, network, storage resources.
At the same time they also have Azure and AWS presence. Infrastructure is present in both clouds in multi regions but for certain unique type of applications only.
The cloud hosted infrastructure have dependencies on the onsite resources located in the above mentioned POPs. One of which is AD/DNS etc.
Azure is hosting multi region VDI for 24/7 customer center operations. AWS is running DEVOPS environment for developing applications and hosting custom applications.
Internet exit for Azure is through Azure but for AWS it is centralized through onprem. However, both using on-prem DNS.
- Global resiliency, distributed applications, and services access.
- How we can keep regional traffic local, keep on prem traffic local and keep cloud traffic local.
- How to manage latency
In this new brave world of multi-cloud this and that … what is a network engineer to do in terms of network architecture/design:
- architect/design network topology
- architect/design service chains (of course this is mainly driven by app folks the software architects, but usually they just show up with “make it work … we’ll just write code” and surely everyone runs around the enterprise looking for the network guy … “dude … put together the plumbing for us … we have to make it work” :)
Maybe it’s nothing, but it’s been bugging me for a while now… there’s more and more cloud work.
I would love to see some design options with multi cloud connectivity using dedicated links where encryption is a mandatory requirement, including:
- Cloud native vs other instance based gateways (cisco/aviatrix/others),
- Ingress/egress security services at the edge cloud/on-prem,
- Usage (or is it even make sense) of SD-WAN on top of dedicated leased lines to provide secure access to IaaS from on-prem,
- Inter-cloud connectivity.
I am working on Data Center migration to AWS and I have a challenge to lay-out a strategy on how to slice the workloads. Hybrid is a Reality and a given in Enterprise IT, at least as a transitional state.
At a high-level I am going to split between tiers, front (cloud) and backend (on-premises). There is pros/cons as any decision, but I am particular interested on how can I identify chatty applications when communicating with the backend or specifically databases ‘cause they were built for env where the two sit very close to each other. One front-end request can issue dozens of requests to the backend, so splitting such a chatty channel is likely to result in poor performance.
Use case: you are using the cloud as an over the top WAN with edge devices in 10 or 20 or 120 cloud points of presence, spread across aws, azure, gcp, oracle, etc.. and implementing MPLS tagging to make it a small carrier-style network to overcome address overlap issues between different connecting networks. (Connecting via a variety of site-to-site technologies and gre tunneling over direct-connect/express-route.