This document discusses the networking complexities that arise in hybrid and multi-cloud environments. It notes that routing traffic securely between disparate cloud platforms is challenging, and that managing multiple providers each with their own management and security methods complicates operations. The document then explores specific complexities around modernization, monitoring, suppliers and connectivity. It proposes several potential methods for simplifying this complexity, such as SD-WAN, cloud on-ramp service providers, carrier-neutral colocation, AWS Direct Connect and Azure ExpressRoute.

1. By: Joseph Primicerio
January 28, 2019
Multi-Cloud Networking
An Overview of the Networking Complexities in a
Hybrid and Multi-cloud World

2. Cloud Networking Complexities
Hybrid and Multi-Cloud Factors:
 Routing traffic rapidly and securely between disparate cloud platforms is
complex; avoid complex Managed VPN solutions
 Automation needed for disparate CLI’s, BGP ASN’s, and routing tables
 Managing multiple cloud, SaaS, network, and colocation providers is a
juggling act!
 Every provider will have their own proprietary method for management,
monitoring, storage, and network solutions.
 Establishing standard security capabilities and policies
 Ability to enforce security for users, data, and applications everywhere is
essential
The need for digital transformation increases complexity with managing multiple
apps, on multiple clouds, and leveraging a mix of public, private and hybrid cloud
networks.

3. Other Complexities
Modernization
 Hybrid clouds need modernized data center and processes to support both legacy and
new applications.
 New capabilities need to support rapid provisioning, higher performance, and data
mobility between disparate clouds (public and private).
Monitoring and Security
 Multi-cloud networks need capability to monitor and secure traffic flows in/out of public
cloud environments.
 End-to-end encryption needed for every virtual circuit/path/connection.
Suppliers
 There are a plethora of options; need to carefully evaluate network requirements and
migrate workloads accordingly to avoid vendor-lock.
Connectivity
 Network Abstraction: Purpose-built networking in the cloud is all software driven.
 Automation needed for disparate CLI’s, BGP ASN’s, and routing tables.
 End-to-end encryption needed for every virtual circuit/path/connection.

4. Simplifying Complexity
Potential Methods:
 SD-WAN or Software-defined networking
 Cloud On Ramp Service Providers
 Carrier-Neutral Colocation Services
 AWS Direct Connect
 Azure Express Route
While a multi-cloud strategy will help to avoid vendor lock-in, increase
reliability and protect mission-critical data, it has inherent complexity.
Before leaping into multi-cloud, consider these few potential methods to
simplify the complexity.

5. SD-WAN Architecture
 SD-WAN is a software-defined approach to centralized management of the
wide-area network and seamlessly extends the WAN to multiple public clouds.
 High availability and predictable SLAs for critical enterprise applications.
 Multiple active-active links to balance network traffic load.
 Purpose-built networking in the cloud is all software driven.
 Dynamically routes application traffic to drive efficient delivery.
Aggregation of
links into single
bundled link
MPLS
Customer Data Center
E
D
G
E
Customer
Branch A
LTE
INTERNET

6. Cloud “On-Ramp” Service Providers
 Cloud On Ramp Services provide a connection service within a data center
that connects directly to a cloud service provider’s network.
“On Ramp”
Network
On-Ramp Providers:
 Equinix
 CoreSite
 Digital Realty
 Switch
 Cologix
 Megaport
Customer Data Center

7. Carrier Neutral Colocation
 Carrier neutrality refers to data centers that allow interconnection between
many colocation and interconnection providers.
 Provides diversity and flexibility by not being bound to any one service
provider.

8. Direct Connect Architecture
 Carve up 1Gb connections for each VIF.
 With BGP, only the CIDR of the VPC will be advertised; individual
subnets cannot be advertised.
 Include three subnets per availability zone for Web, App, and
Database hosts.
AWS Region
VPC
10.2.0.0/16
AWS Direct Connect Location
AWS PremiseCustomer Premise
Direct Connect
Router
Customer/Partner
Router
Customer
Router/Firewall
Customer’s
Network
AWS Region
VPC
10.0.0.0/16
AWS Region
VPC
10.4.0.0/16Private VIF 1
Private VIF 2
Private VIF 3
Each VIF can be
associated with a
different AWS account

9. ExpressRoute Architecture
 Same connectivity methods for connection to Azure Cloud.
 Deploy redundant routers on-prem for active-active
connections.
 Connect VNet to multiple ExpressRoute circuits by different
service providers