– Chris Swan, CTO at CohesiveFT, says:
Applications running on Google Compute Engine (GCE) can take advantage of Google’s excellent network and Internet connectivity. That’s great for web applications, but what about connectivity back to enterprise data? GCE’s networks operate very similarly to Virtual Private Clouds (VPCs) in Amazon Web Services, but they don’t (yet) offer a hardware based IPsec connection service. Google providesome instructions for configuring a virtual machine as an IPsec gateway, but the do-it-yourself approach to Virtual Private Networks VPNs might not appeal to everyone.
Edge to edge connectivity with IPsec is often just one small part of an overall networking and security architecture. Many cloud users want more control over their data in motion, which is where overlay networks come in handy. Overlays are made up of a mesh of VPN connections that provide application owners with control over security, addressing, topology and protocol. VPCs might provide containment, but they don’t encrypt data in transit, so it’s often useful to augment a VPC with an overlay. VPCs also provide some control over addressing, but multiple VPCs can’t be connected together to form a single network, and addresses can’t be moved from one place to another. Once again overlays provide the required additional flexibility. Lastly, most clouds don’t support protocols like multicast, which can be essential to some applications (or their underlying infrastructure). Using an overlay that supports protocol redistribution can remedy that.
Overlay networking is going through a renaissance in the data center space with the launch of NSX by VMware and OpenContrail by Juniper. These platforms use overlay protocols like generic routing encapsulation (GRE) or VXLAN to construct a mesh of tunnels between virtual machines. Such techniques might often be used by service providers as a means to create VPCs. Unfortunately for public cloud users they can’t just install NSX or OpenContrail on their instances, as both platforms need support from the hypervisor layer (which is under the control of the cloud service provider rather than the user). CohesiveFT’s VNS3 overlay network gets around this by using SSL based OpenVPN to provide the tunnels, running everything in regular cloud instances under user control.
Overlays aren’t a panacea for all cloud networking situations, as the overlay manager can act as a choke point for traffic. To a certain extent it’s true to say, “if you need more bandwidth then get a bigger CPU”, but there can be cases when even the biggest CPU available isn’t up to the job. This is where GCE’s Advanced Routing features can come into play. By enabling the definition of gateways that connect to other networks it becomes possible to exploit the native (and very fast) connectivity available within Google’s network whilst still being able to bridge into other places with IPsec. The overlay advantages of encryption, portable addressing and additional protocols are forfeited, but there are cases where that’s a fair trade.
Whether using overlay or Advanced Routing a gateway is needed for connectivity from GCE to the enterprise data center or remote office using IPsec. Overlays offer flexible control over security, addressing, topology and protocols, but that flexibility comes with a potential performance penalty – so if ultimate performance is needed then Advanced Routing can be used instead. Either way, VNS3 provides an excellent suite of user friendly gateway functionality.