With the right configuration, administrators managing a hybrid IT environment can also use virtual private clouds...
to host workloads.
A hybrid cloud enables IT administrators to move workloads seamlessly between private and public clouds, providing more flexibility than is available through either one alone. A hybrid IT environment can also include virtual private clouds, which offer many of the same benefits as a public cloud while providing some of the controls found in a private cloud.
However, incorporating a virtual private cloud into a hybrid IT environment can add complexity because there are expanded controls available to virtual private clouds.
Hybrid and virtual private clouds explained
A hybrid cloud is a cloud computing environment that contains a mix of private and public cloud platforms, with an orchestration component that binds them together. The orchestration component distinguishes the hybrid cloud from a multi-cloud strategy, where an organization uses multiple clouds to perform different tasks without coordination between them. Orchestration in a hybrid IT environment makes it possible for administrators to host workloads and data on the platforms best suited to their needs and move them as requirements change.
A hybrid cloud can comprise a variety of platforms, including one or more virtual private clouds. A virtual private cloud is a logical division within a public cloud infrastructure that isolates a virtual network from other cloud resources. Workloads and data are contained within the virtual private cloud, providing a structure similar to a private cloud.
A virtual private cloud offers many of the benefits of the public cloud, such as easy deployments and scaling, along with a pay-as-you-go model. At the same time, virtual private clouds support many of the same types of controls found in a private cloud, such as the ability to manage IP addresses, subnets and network gateways.
Because the virtual private cloud is isolated from other workloads on the cloud platform, IT can more confidently extend sensitive workloads from an on-premises data center to the virtual network, blurring the lines even further between internal and external platforms.
Control over a virtual private cloud environment
Several vendors have taken the lead in delivering virtual private cloud services, most notably Amazon, Microsoft and Google.
For example, Amazon Virtual Private Cloud (VPC) is part of the AWS cloud offering. Amazon VPC provides a virtual networking environment in which admins can configure IP addresses, subnets, route tables and network gateways. Administrators can also implement IPv4 or IPv6 and configure hardware virtual private network (VPN) connections. They can also use the service's built-in protections, such as security groups and network access control lists.
Microsoft offers similar capabilities through its Azure Virtual Network (VNet) service. Admins can segment the virtual network into one or more subnets and then allocate a portion of the virtual private cloud's IP address space to each subnet. They can also use Azure name resolution capabilities or specify their own domain name system servers. In addition, admins can define private IP address spaces using public and private addresses.
Google also offers a virtual private cloud service as part of the Google Cloud Platform. A Google virtual private cloud can span multiple regions without communicating across the internet or assigning a public IP address to the virtual private cloud. Admins can also isolate teams within projects using a shared private IP space and increase the IP space of any subnets without shutting down workloads
With all three services, subscribers have more control over such configuration options as IP addresses, subnets and routing than they get with public clouds. But administrators must also orchestrate their hybrid IT environments to provide seamless interoperability between the various platforms, a process difficult enough without the added complexities of virtual private clouds.
Incorporate virtual private clouds into a hybrid IT environment
When incorporating one or more virtual private clouds into a hybrid IT environment, administrators must carry out a number of tasks, such as setting up subnets, assigning IP addresses, defining route tables, configuring gateways and in other ways enabling connectivity. At the same time, they must be careful not to introduce conflicts. For example, they must ensure they don't configure virtual private clouds with overlapping IP address ranges.
Many of the tasks that administrators carry out are within the virtual private cloud itself. Because a virtual private cloud is essentially a virtual network, it can contain a variety of components, adding to the overall complexity of the hybrid IT environment.
A good example of this is described in a Microsoft reference architecture. It explains how to extend a secure hybrid network to an Azure VNet environment using a demilitarized zone (DMZ) between the on-premises network and the virtual private cloud web tier. The DMZ uses network virtual appliances to provide security protections, such as firewalls and packet inspection. In addition, the virtual private cloud contains web, business and data tiers to run off-premises workloads.
The virtual network connects to the on-premises network using either a VPN or an Azure ExpressRoute connection. When using a VPN, the virtual network requires a VPN gateway, which sits at the edge of the virtual network outside of the DMZ. The VPN gateway communicates with the on-premises gateway, permitting traffic to flow between the two networks. If the virtual network doesn't include a DMZ, the VPN gateway connects directly to the web tier within the VPC.
ExpressRoute is a service that Microsoft provides to implement private, dedicated connections between an on-premises network and an Azure network. Instead of a VPN gateway, the virtual network uses an ExpressRoute gateway that resides within that virtual network.
In addition, the connection requires an ExpressRoute circuit that joins the on-premises and Azure networks. Edge routers sit on either side of the circuit to route traffic between the two networks. A connectivity provider supplies the ExpressRoute circuit and manages the edge routers.
Amazon and Google offer similar options to connect on-premises networks to their virtual networks. In addition to supporting VPN connections, each one offers a service similar to ExpressRoute to establish dedicated connections. Amazon has AWS Direct Connect and Google has Cloud Interconnect.
The future of hybrid clouds and virtual private clouds
Implementing a hybrid IT environment that connects multiple cloud platforms can be a complex and time-consuming task. Although virtual private clouds share many of these same complexities, they can also add a few of their own, mostly because the virtual private cloud offers more control over its environment.
As hybrid technologies mature and virtual private clouds grow more popular, integration will likely become faster and easier, not only between on-premises and virtual networks, but also between different cloud platforms, whether public, private or virtual. All of which will make the hybrid strategy more practical and useful.