I hate to split hairs on terminology. Arguing about definitions is rarely productive. But semantics frame our view of the world, so it is critical to at least reflect on what certain words mean. Take hybrid cloud, a popular buzzword this year.
Some people consider any environment that includes both on-premises environments and public cloud services to be a hybrid cloud. While true in the most literal sense, if these hybrid services operate in complete isolation from one another, then they are not truly hybrid and they may add more complexity than value to the solution architecture.
On the other hand, if there is interoperability between these cloud instances, then there is greater opportunity for application integration. And in that case, you have a hybrid cloud. As I mentioned in the last post, this kind of opportunity and flexibility are good for business. We might need to interconnect to implement identity management, leverage the message transport system, or share a common data repository.
Of course, not all resource sharing makes sense in a hybrid environment. For instance, it would be possible to obtain publicly addressable Internet addresses for each system and open up all the appropriate ports in the firewalls, so that entities in different datacenters could exchange information. However, such an approach would squander valuable address ranges and leave virtual machines highly exposed to threat on the Internet.
So what can you do? Network virtualization is a good way to manage the integration-isolation dynamic in a hybrid cloud environment. For instance, network virtualization enables you to create separate address spaces for the tenants and the provider. Creating tables that map the customer address to provider address spaces makes it possible to arbitrarily host tenant virtual machines on any physical host so that all entities can communicate among themselves using their own IP addresses.
Decoupling the logical tenant topologies from the physical datacenter topology also creates the illusion of a dedicated IP address space for each customer. This simplifies network resource use and facilitates virtual machine deployment and network migration with a minimum of reconfiguration or service interruption.
Most importantly, it isolates systems belonging to one logical network from other tenants, as well as the outside world. Virtual machine managers can provide additional network protection by adding filters to monitor or modify network packets, authorize connections, and filter traffic on the backplane as well as the physical network.
These emerging technologies are critical to building an application environment that spans datacenters, while also minimizing threats by reducing the attack surface such a topology offers.
Let’s face it: Cloud services are not built on an architecture that is completely void of a perimeter. But it is vital for the boundaries to take a logical rather than a physical shape and therefore introduce much more flexibility to adapt as circumstances change.