The post is part two of a blog series on cloud security basics and fundamentals. In this instalment, cloud network management and security are addressed.
As discussed in the last post, Cloud Security works on the shared responsibility model, a document that outlines the relationship between the cloud provider and the customer. According to this model, the cloud provider is responsible for the security of the cloud, while the customer is responsible for the security in the cloud. The shared responsibility model alleviates much of the effort, time, and energy burden that organisations adopting and running workloads on the cloud have been shouldering up until this point.
In the shared responsibility model, the cloud provider is responsible for the largest chunk of network management since they are responsible for procuring and configuring routers and switches, managing cables, purchasing public IP blocks, and so on. They provide an abstraction layer to the customer, allowing the customer to create a virtual private network. The virtual private network can dividend into the subnets, and it allows the customer to provision the resources in those subnets. The customer is mainly responsible for managing the virtual private network and the resources spun up in those subnets.
Cloud Networking Fundamentals
Before diving into how different network management is in the cloud, it is worth examining the AWS architecture diagram which showcases the critical fundamentals of cloud networking.
Reference - VPC with Public and Private Subnets
The cloud provider allows the customers to create a virtual private cloud (VPC) which is an isolated logical area allowing users to provision resources. The isolated area is for the private user, and all of the resources provisioned are available only to the customer. Each VPC has an allocated private IP range which can be broken down into subnets. The subnet is a subset range of the VPC IP address range with an attached route table. It defines whether or not the resources provisioned inside can make the external connection with the outside world. A subnet can be associated with only one route table. However, a route table can be associated with multiple subnets. The VPC provides two types of gateways: internet gateways to allow communication with the internet, and virtual private gateways (shown below) to allow customers to create VPN connections with the data center. If a subnet route table has outbound connectivity through an internet gateway, it is called a “public subnet.” The rest is called the “private subnet.”
The above architecture diagram focuses upon leveraging the VPC and the subnets to host the web application with web servers in the public subnet. The outbound connectivity from web servers happens directly over Internet Gateways. Because the databases are supposed to be accessed only by the application, they are hosted in the private subnet with outbound internet connectivity over the NAT Gateways. NAT Gateways allow the resources in the private subnet to fetch the packages and updates from the internet.
The below architecture diagram is a different implementation of the VPC. It showcases the connectivity between the on-premises data center and the VPC over the virtual private gateways. Once connected, the VPC becomes an extended part of the data center. The application can be hosted in VPC-leveraging cloud services while ensuring that both the cloud services and applications can be directly accessible by the data center team or the application over a private IP address. One useful example of this situation is cloud bursting, which allows data center applications to be extended to the cloud when demand for them is high.
The customer has complete control over the VPC range and the allocation of private IP addresses to the resources. The customer can directly request a public IP address from the cloud provider and assign that to the resource. The customer can also establish the VPC to its on-premises data center, leveraging the virtual private gateway. This helps the customer to securely extend connectivity between the resources on both sides over private IP range.
To further simplify and solidify the security offerings, the cloud provider provides security groups and network access control lists (NACL) capabilities which can control the inbound and outbound traffic at the resources and subnet levels. The security group provides stateful communication to the resources while the NACLs provide the stateless communication. Also, all internal communication between the resources and external communication between resources and the world is logged for further use analysis.
Critical Differences Between On-Premises Networking and Cloud Networking
VPCs provide privacy, security, and control over proprietary data, making it easy for customers to adopt the cloud. For a company managing its own data center, cloud network management is simpler and provides almost the same capabilities required to run its applications securely.
Cloud network management eliminates the need to have a separate dedicated team managing infrastructure. It also provides the option to write cloud networking infrastructure as a code to leverage the APIs exposed by the cloud provider. Other key benefits of cloud network management are:
- There is no need to purchase and rent an area for the data center.
- There is no need to purchase the hardware required to the set up the data center.
- There is no need to configure and set up routers, switches, cables, power backups, and a cooling system.
- There is no need to procure IP blocks.
- You have the ability to spin up the resources across any regions provided by the cloud providers, resulting in a low latency delivery to end users.
- There is no need to upgrade hardware when technology evolves.
Even though this article talks about the networking components offered by Amazon Web Services, the same level of abstraction applies to other cloud provider like Microsoft Azure and Google Cloud Platform.
Cloud adoption has made network management easier for customers. When it comes to security, customers only have to focus on few areas because the cloud provider does most of the work. Customers should make use of the features and services offered by the cloud provider to ensure that the network is configured in a well-designed and secure manner. By adopting the infrastructure as the code concept, customers can version control the entire network management piece, making change rollout easy. It is vital for organizations to stay on top of continuous audits for the network and ensure compliance. Any deviation from the desired state should be monitored and brought back to normal. As long as customers adhere to these principles, they will find that transitioning to the cloud will make their lives easier.