DevOps Networks

Cloud Connectivity: Not as Simple as You Thought

Cloud Connectivity: Not as Simple as You Thought

Most enterprises rely on infrastructure and applications in the cloud. Whether it’s SaaS services like Office 365, IaaS in AWS, PaaS in Azure, or analytics services in Google Cloud, organizations now rely on systems that do not reside on their infrastructure. Unfortunately, cloud connectivity requirements are often overlooked when the decision is made to migrate services. Service providers downplay cloud connectivity challenges, and organizations new to cloud computing don’t know the right questions to ask.

SaaS: It’s just the Internet

When organizations begin to discuss cloud infrastructure, an early assumption is that all connectivity will simply happen via the internet. While many SaaS services are accessible from anywhere via the internet, large organizations need to consider how new traffic patterns will affect their current infrastructure. For example, Office 365 recommends you plan for 10 TCP port connections per device. You can support, at most, 6,000 devices behind a single IP address. If you have a large network and a small PAT pool for client egress, PAT exhaustion will quickly become a problem.

Internet-based SaaS applications make hub-and-spoke networks with centralized internet less efficient. Many WAN solutions use local internet connections to build encrypted tunnels to other sites. You can dramatically reduce network traffic by offloading SaaS applications to a local internet connection instead of backhauling traffic to a centralized data center. However, be mindful of the impact of your security footprint as you decentralize internet access across your organization.

But What About the Data Center?

Invariably, as teams begin to build IaaS and PaaS infrastructure in the cloud, they need access to resources and data that live in an on-premises data center. Most organizations begin with IPSec tunnels to connect disparate resources. Care must be taken when building IPSec tunnels to understand cloud requirements. Many cloud teams assume dynamic routing with BGP over VPN tunnels. In my experience, most network engineers assume static routing over IPSec tunnels. Be sure to have conversations about requirements up front.

When building VPNs to the cloud, throughput can be an issue. Most VPN connections are built on underlying infrastructure with throughput limitations. If you need higher throughput than cloud VPN infrastructure will support, you will need to consider a direct connection to the cloud.

Plug Me In to the Cloud, Please

There are several options to connect directly to the cloud. If you have an existing MPLS provider, most offer services to provide direct cloud connectivity. There are technical limitations to these services, however. Pay special attention to your routing and segmentation requirements. MPLS connectivity will likely not be as simple as your provider describes in the sales meeting.

If you do not want to leverage MPLS service to connect to the cloud, you can provision a point-to-point circuit from your premises to a cloud service provider. Cloud services publish ample documentation for direct connections.

Another option is to lease space from a co-located provider who can peer with multiple cloud service providers (CSPs). You provide circuits and hardware that reside in the co-lo, and the co-lo provides peering services to the one or more cloud providers. Be aware that each CSP charges a direct connect fee on top of your circuit costs. There may also be data ingress and egress fees.

You Want to Route What on my Network?

Cloud service providers operate their networks with technologies similar to service providers. Many SaaS services are routable only with public IP addresses. For example, if you want to connect to SalesForce, Office365, or Azure Platform Services, you will need to route their public IP addresses on your internal network to force traffic across direct connect circuits. Network engineers who have always routed internet-facing traffic with a default route injected into their IGP will have to rethink their routing design to get full use of direct connectivity into the cloud.

I Thought the Cloud was Simple

The prevailing cloud messaging tells us that the cloud makes infrastructure simpler. There is some truth in this view from a developer’s perspective. However, for the network engineer, the cloud brings new connectivity challenges and forces us to think differently about how to engineer traffic through our networks. As you look to integrate cloud services into your on-premises data center, read up on the documentation from your cloud service provider and brush up on BGP. These tools will position you to address whatever challenges the cloud throws your way.


Eyvonne Sharp is a network architect for a Fortune 100 healthcare enterprise. She's a co-founder of Network Collective, a bi-weekly video roundtable where network engineers talk about industry trends, challenging projects, and what it takes to do network engineering day-to-day. Before working in the enterprise, she spent 10 years working for small VARs and integrators in the SMB space.