The impulse to move absolute everything to the public cloud is coming to an end. Many companies are re-evaluating their strategies and adopting a hybrid model by bringing or migrating their workloads from the cloud to on-premises, mostly in the IaaS space. The main reasons companies are re-evaluating public cloud are cost, wanting total control over their data, and privacy.
However, these companies don’t necessarily want to have to build (or expand) their own data centers. Instead, they’ll rent racks from hosting providers. These providers are responsible for power (including backup power in case of an electrical outage), temperature control, physical security, and other infrastructure elements. Customers can install their compute, networking, and storage devices in locations provided by hosting companies to build their private clouds.
But these customers still need to connect to the outside world. The major difference between public and private clouds is that in the public cloud, Internet connectivity is already part of the service. In a private cloud, the customer has to manage internal and external connectivity.
There are various connectivity options. A customer can contract services from an ISP directly. In some cases, the hosting provider may have a network offering that includes Internet access an/or private connections to major public clouds. Typically, network operators such as Verizon, BT, and others have dedicated networking equipment in the hosting facilities’ data centers. Otherwise, you will need to request (and pay for) an ISP’s presence in a center where they are not already present.
Know Your Options
If you’re building a private cloud within a hosting facility, you can select different types of connections from a service provider. Your choice will depend on requirements including cost, network bandwidth, application requirements, and whether you want private or public connections.
Public Connectivity: This means you want to connect to the public Internet. Generally, small- and medium-sized companies do not have their own public IP addressing; they get assigned a pool by the ISP.
Once the ISP has activated the service, you can request cabling from the ISP’s router to your endpoint, usually a firewall. The interconnection details will be specified in the Letter of Authorization (LOA) document with the ISP.
It’s possible you might have your own ASN and public addressing. In this case, you must buy transit from an ISP to advertise your addresses; from there they’ll be propagated worldwide.
Private Connectivity: For certain use cases, public Internet connections may not be necessary or desirable; for example, when connecting your branch offices to your private cloud. In such a case you can choose from among several private connectivity options. They include:
- L2 Point-To-Point: You can contract an L2 circuit that, in practice, behaves as if you had a cable between two ports, also called pseudo-wire. In other words, you extend a broadcast domain over the ISP backbone. L2 protocols (CDP, STP, VTP, etc.) are transparently transported and the frame 802.1Q tagging is honored.
This can be achieved in two ways, depending on the ISP. The first option requires dedicated fiber and equipment. You’ll get more privacy and higher performance, but it’s more expensive. The second option uses an overlay solution (e.g. MPLS2VPN or VPLS).
- L2 VPN: An L2 VPN is an extension of the previous point, where the ISP’s backbone behaves like a global switch. All sites are seen at L2 between the designated ports. As in the previous case, this circuit permits the extension of the broadcast domain over an ISP WAN.
- L3 VPN: Unlike the previous services, the networks of different sites can be routed in the ISP’s backbone. That is, sites are interconnected at layer 3 (TCP/IP). Routing is performed in the border routers of your premises.
An L3 VPN is usually the most appropriate solution to provide connectivity to the public cloud through dedicated lines. For example, an L3 VPN can be contracted from the ISP to route traffic to a PoP where AWS or Azure have a presence and can use services such as Direct Connect or Express Route.
- DWDM (Dense Wave Division Multiplexing): For particularly critical traffic with very high bandwidth requirements, you can contract frequencies (also called colors) within the ISP’s optical fibers. Basically, the ISP is providing layer 1 connectivity. This type of connectivity is mostly used for data replication between data centers or for data migration purposes. At the end of the day, the cost of this solution is only justified if the network performance and capacity are critical for the business.
Once the service is contracted, the cabling needs to be extended from the ISP equipment in the data center to your gateway, which is usually a firewall for L3 connections or a switch for L2 circuits. As this service involves medium/long-distance cabling, it is usually contracted from the hosting provider.