Cloud Connectivity
Data Center

The transition from a local to a cloud-based proxy prompted a client from the financial industry to create a new concept for the planned cloud connectivity of their data center.

In addition to AWS, Azure and GCP, there are numerous other clouds that operate with different vendor-specific connections. Direct peering, L2 or L3-based connections, and other options should not be implemented through lots of single solutions, but through a central instance that enables specific connections in each case.

The challenge was to develop a unified concept that integrates many different solutions. Differences between PaaS, IaaS, and SaaS had to be considered as well as suitable encryption methods. Connecting such diverse systems as databases, web frontends, and various software offered a wide range of possibilities. How are subsidiaries connected? How will end users use a cloud dial-in solution in the future? We focused the question whether the solution should be centralized or decentralized. Network segmentation and regulatory differences increased the complexity. Furthermore, the rapid development cycles in cloud technology demanded an agile and flexible solution to continuously keep pace with changes.

Generally, a block-based concept for connections allows different technologies (e.g., layer 2 or layer 3-based). Routers, firewalls, and other necessary components are combined differently depending on the solution. The implementation of network segmentation also had to be individually constructed to reflect the different technologies. The adaptation of the security concept had to address modern cloud technologies. No fewer than 17 different clouds had to be considered in the first phase.

Using standard L2 and L3 technologies, the majority of clouds could be connected. A few required dedicated solutions though. These were implemented through two different approaches in the connectivity block. High-efficiency routers and firewalls, IDS/IPS solutions, and Application Layer Gateways (ALGs) were deployed for security according to type and structure. Encryption and NAT played a central role, with dedicated instances according to the solution characteristics of each connection. Data flows in clouds are organized quite differently than „on premise“, and thereby again increase complexity — Forcing compromises where on-premise systems are part of the service.