Virtual Private Cloud
Why do enterprises use virtual private clouds?
A virtual private cloud functions as an isolated environment within the public cloud space. A VPC is often used to isolate web servers from other cloud-hosted resources or to keep virtual servers in a multi-tier application separate.
Businesses can use these resources within a cloud set-up to maintain absolute control over their virtual networks and protect sensitive workloads while gaining the agility, flexibility and scalability of a DIY public cloud without the risks.
Having the best of both worlds makes sense for many organisations. With a VPC, enterprises reap the benefits of public cloud infrastructure along with the security and regulatory compliance advantages of a private cloud.
What are the challenges that come with virtual private clouds?
The VPC set-up comes with some challenges that an organisation needs to consider before switching over to this model. First, configuring, managing and monitoring a virtual private network (VPN) to handle the arrangement can be beyond your in-house IT team’s capabilities. In addition, because the virtual private cloud is hosted outside an organisation’s data centre, it still may not be isolated enough for some highly regulated industries.
How does a virtual private cloud work?
The subscriber/tenant of a virtual private cloud is essentially purchasing an isolated environment for their data that is completely separate from every other customer’s data at all times – within the cloud provider’s network and in transit.
In addition, a public cloud subscriber can create resources that live on the public cloud but remain out of reach of other subscribers on the cloud. Instances of subscriber-created virtual machines, databases or gateways can be accessed only by the subscriber.
However, while the tenant remains in control of network components, such as IP addresses, subnets, network gateways and access control policies, security for a VPC is the responsibility of the service provider, rather than the subscriber’s IT department. To mitigate the risk associated with relinquishing that control, the tenant can require the provider to use security policies such as encryption, tunnelling, private IP addressing or allocating a unique virtual local area network (VLAN) to each customer, which gives their data nearly as much protection as an on-prem cloud.
What are the differences between a virtual private cloud and a private cloud?
There are a few differences between a traditional, on-prem private cloud and a VPC, including resource delivery methods and the provider/tenant relationship. With a private cloud, business units maintain more control over their IT resources, while in a VPC, they gain a level of isolation that is slightly more porous by comparison.
The primary difference, however, has to do with the relationship between the data owner and the service provider. In an on-prem cloud, individual business units are the tenants and internal IT acts as the service provider. In contrast, a VPC works with the public cloud provider as the service provider and the subscriber –often the IT department – as the tenant. What that means is that in the virtual model, IT no longer acts as the gatekeeper for all technology.
Instead of going through their own IT department to deploy new applications or services, organisations using a VPC must send the applications and services to the service provider.
In terms of resource delivery, traditional private clouds can allow individual business units to use a self-service portal to deploy resources. If that is available, then the IT department does not even touch the projects – relieving them of a considerable burden on their time. But some VPCs may lack the same self-sufficiency because of their many layers of isolation.
What are the features of a virtual private cloud?
Typical virtual private clouds have five main features that can be customised during set-up. These are:
- Subnet: An organisation can divide the network that it uses on a VPC into subnets to control access to them more closely. These can be either public-facing or private-facing, depending on which resources use the internet. Depending on the provider, up to 200 subnets can be created.
- Virtual communication construct: These are gateways that control access to and from the resources on a VPC. There are five types of gateways:
a) Internet gateway: connects to the public internet
b) NAT gateway: a network address translation (NAT) for resources in a private subnet to access the internet
c) Virtual private gateway: the service provider’s side of a VPN connection
d) Egress-only internet gateway: provides egress-only access for IPv6 traffic
e) VPC endpoints: allow services hosted in AWS within a VPC to connect privately without using any of the other gateways or firewall
3. VPN: Virtual private networks are often used to control access to resources on a VPC.
4. Regions and zones: Providers host VPCs across many geographic regions divided into multiple isolated locations, called availability zones, local zones and wavelength zones, so an organisation can locate resources closer to its end users.
5. Route tables: These data tables are used by routers to know where to send the packets of data they receive. Routes are assigned to particular network destinations, along with associated metrics if necessary, which the router references much like a map.
Some providers include features that help subscribers enhance security and access, allowing for continuous monitoring and diagnosis, for example:
- Diagnostic tools: These kinds of tools analyse the virtual path between individual resources within a VPC to uncover any components that are blocking the pathway.
- Flow logs: These monitor traffic flowing through a VPC, enabling organisations to detect anomalies, prevent data leakage and see into their network dependencies and traffic patterns to troubleshoot connectivity and configuration issues.
- Traffic mirroring: With this feature, organisations can run deep packet inspections by copying elastic network traffic onto out-of-band security and monitoring appliances. This helps detect network and security anomalies, provides operational insights, enables compliance and security controls, and generally supports troubleshooting.
- Ingress routing: This tool makes it possible to send traffic through specific gateways or machines before it reaches business workloads.
- Security groups: By associating each virtual machine instance with different security groupings, additional firewalls can be put between them and control traffic at the instance level.
- Network access control list: This optional layer of security also controls traffic, but in this case, it does so at the subnet level. Organisations can define rules for their network as an additional layer of security.
What are the benefits of using a virtual private cloud?
- Scalability: Organisations can tap into the elastic nature of a public cloud platform without the risk inherent in placing resources where anyone could access them.
- More control: Using a VPC, you can secure connections, screen traffic and restrict instance access within your VPN.
- Streamlined productivity: By deploying a VPC, organisations can avoid the productivity bottleneck that is often caused by their own IT departments. In a VPC, an organisation doesn’t have to wait for approval or scope modifications that IT departments can impose on new projects. This can save weeks or even months of time in the production cycle.
- Lower costs: Organisations can also avoid large upfront investments in IT infrastructure by creating such resources virtually and sending them to the public cloud for easy access and maintenance. This way, an organisation gains a flexible, secure and scalable infrastructure without the cost of ownership.
- Easier management: Enterprise IT can spend less time setting up, managing and validating virtual networks, freeing them up for building applications and services that drive overall business profitability.
- Extending resources: An enterprise can use a VPC within a hybrid cloud deployment as an extension of its own data centre – without the time and resources necessary to build an on-prem private cloud.
How does HPE help with virtual private clouds?
As digital transformation has become imperative, organisations have rushed to the cloud to execute on modernisation. However, that rush led to many challenges due to a lack of in-house cloud implementation skills and difficulties ensuring compliance and security for data and apps. Frost & Sullivan reports that 38% of companies noted technical challenges beyond their capabilities as the main reason for pulling back from their first cloud attempt and repatriating cloud apps back on-prem.
With industry-leading experience and IP curated through hundreds of successful enterprise-centric cloud transformation engagements, HPE offers consultation and resources to help you lay the foundation for a strategic cloud transformation. The HPE Transformation Programme for Cloud service facilitates the evaluation of your organisation, identifies maturity gaps and develops a cloud roadmap to prepare people, processes and technology for holistic cloud transformation. We leverage our proven Cloud Transformation Maturity (CTM) framework to analyse cloud maturity across several domains and smoothly transition key governance roles to your team` through the establishment of a cloud business office (CBO). This framework involves an analysis of your current cloud maturity levels to produce a roadmap for achieving your desired maturity level for each of the CTM domains.
HPE GreenLake cloud services offer a powerful foundation to drive digital transformation through an elastic as-a-service platform that can run on-prem, at the edge or in a colocation facility. The HPE GreenLake edge-to-cloud platform combines the simplicity and agility of the cloud with the governance, compliance and visibility that comes with hybrid IT. With the HPE GreenLake platform, you can bring the cloud experience directly to your apps and data wherever they are – the edge, colocations or your data centre. It offers a range of cloud services that accelerate innovation, including cloud services for compute, container management, data protection, HPC, machine learning operations, networking, SAP HANA®, storage, VDI, bare metal and VMs. With no data movement or egress charges, no lock-in, faster time to market, cash and capital conservation, and optimisation of existing IT investments, you can run your business on the HPE GreenLake platform.