As more organizations adopt cloud platforms such as AWS and Azure, they are forced to consider how they want to manage their cloud networks. When every device is virtual, how will network teams deliver traditional network functionality that they are used to delivering with physical appliances like firewalls and load balancers?
West Monroe’s approach is to consider the functionality needed, not just the technology that an organization is familiar with. Without a complete understanding of functional requirements, it’s difficult to properly assess whether a vendor appliance is required, or whether similar (or in some cases, better) functionality is already available through a cloud native tool. Using a cloud appliance simply because it’s already in use on-premises may be a case of forcing a tool adoption where it doesn’t belong.
A few examples where cloud appliances perform differently from their on-premises counterparts:
Network-based security appliances in the cloud, such as firewalls or intrusion detection/prevention systems, lack the ability to provide layer 2 functionality, stateless failover, and can be throughput limited. Automated failover or high availability often requires custom app development to function as well.
Load balancing appliances such as NetScaler or F5 run into similar failover and scalability limitations as network security appliances. In addition, they often lack full featured integration with service scalability provided by the public cloud provider.
All major vendors such as Palo Alto and Cisco must live within the constraints of the cloud network environment, so it’s important to carefully consider the impact. Although management of these devices may be familiar, consider that their available features in the cloud might be fundamentally different than their feature set when deployed on premises. If these and other appliance limitations make you hesitate before implementing, be sure that the functionality your organization needs isn’t already available in the platform native functionality your cloud provider is offering.
For example, Azure and AWS provide ACL functionality via Security Groups at both the network interface and subnet level, allowing traffic control at a NIC by NIC level, if desired – a level of functionality more granular than current on-premises appliances can provide. If management of these rules through the cloud portals or scripting languages becomes daunting, tools like AWS CloudFormation and TerraForm are available that allow templatizing network rule deployments alongside IaaS server deployments.
As another example, AWS’s elastic load balancers may provide much of the functionality of traditional NetScaler or F5 load balancer appliances – node health checks, SSL termination and offloading, and up to Layer 7 load balancing are all available, plus much more, as well as integration with AWS CloudWatch for real time monitoring. AWS Application Load Balancers even scale their capacity as needed to handle incoming connection requirements between geographies. Similar functionality is available in Azure.
Beyond the functionality offered natively by cloud providers, there are also 3rd party SaaS tools which focus on external filtering. Providers such as CloudFlare, Incapsula, or Akamai can range from basic web application firewalling, to fully front-ending all traffic through tunneling, enabling flexibility on IaaS through serverless deployments. For example, if an environment makes heavy use of containers, functionality like Warp may eliminate any direct public exposure of services, reducing risk profile. These design roles would be previously fulfilled by a combination of network security appliances and load balancers, but you should consider if those appliances are still ideally suited for the cloud environment.
Network functionality isn’t the only area where organizations may be tempted to bring their on-premises model to a new cloud platform, even if it isn’t the best fit. Be sure to consider the complete functionality your applications and workloads require as you’re planning for migrations to cloud platforms.