SOLUTION BRIEF

Extending AWS Cloud Native Services for Cloud Networking

How Enterprises can put together disparate services from AWS in their Cloud Networking Architecture

Challenge

AWS has been one of the defacto cloud providers that most organizations use to take advantage of the numerous benefits of the cloud. Multiple network services are available for Cloud architects planning to build their network in AWS, which are just enough to get started. While Gartner admits that native networking capabilities from cloud providers are good enough for many instances, there are notable gaps when putting together all these individual tools to solve enterprise-specific use cases at scale. In addition, there are required advanced networking features overlapping IP addresses, Application layer segmentation, business-to-business ( B2B) access, Zero Trust Network Access (ZTNA), etc.

Organizations kicking off their cloud journey can leverage the native networking services within AWS as building blocks to implement a variety of use cases. These use cases are typically focused on connectivity and segmenting their VPCs and network segments within and across their AWS regions and data centers.

The networking services within AWS are discussed in the following categories:

  • Network layer Connectivity – Connectivity and routing needs of the VPCs and network segments in their DCs can be achieved using Transit Gateway (TGW), peering attachment, CLoudWAN, and so on.
  • App layer connectivity – Connectivity can be achieved using a private link, network Loadbalancers, etc.
  • Security of the cloud network can be achieved using native functions like traffic encryption, NSGs, AWS Guard Duty, and Managed FW).
  • Fault Tolerance and high availability can be achieved using EKS, Cloud Formation, gateway Loadbalancers, etc.
  • Traffic Optimization by leveraging the AWS backbone, global accelerator.

 

Knowing when and where to use these cloud-native functions requires a skill-set that takes time to acquire, time that impacts any cloud-related project timelines. Additionally, manually combining these cloud-native functions significantly makes the network difficult to operate and manage, as it scales to thousands of VPCs across regions. Suboptimal traffic routing, inconsistent security policies, and poor application performance/user experience are some of the issues Prosimo customers have highlighted when building their cloud network.

Cloud-Native Solution for a Cloud-Native Problem

The key to avoiding these pitfalls is to have a software solution with cloud fluency, programmability, and automation and to sit above the native network functions, among other capabilities, as suggested by Gartner. These are some of the many capabilities Prosimo customers enjoy when running the Application Experience Infrastructure(AXI) Platform in their cloud environment.

The Platform is the only cloud networking solution built on a flexible Kubernetes architecture that understands and speaks the language of cloud-native infrastructure. As Prosimo is cloud-native, it establishes connectivity by working in concert with individual cloud service providers’ most efficient network services without the bottlenecks of monolithic virtual appliances. The Prosimo Platform:

  • Orchestrates connectivity between native network functions in the cloud provider’s environment.
  • Selects the best possible path for traffic.
  • Provides you with a global view of your cloud networks and applications.

Prosimo and AWS – Unified Cloud-Native Transit

Prosimo platform seamlessly integrates with the AWS cloud environment and orchestrates many native networking services in any region. This ensures that all the necessary cloud networking building blocks are in place. Organizations can then take advantage of the advanced networking features available within the Prosimo platform to implement use cases that require them.
From securing user access to cloud resources based on ZT principles to building a secure and optimized network fabric for the app–to–app and network–to–network communication, Prosimo orchestrates the building blocks in AWS and provides additional value as discussed in the following sections;
Network Connectivity and Segmentation

Orchestrates new Transit Gateways(TGW) in any region.

Discovers existing TGWs and their attached VPCs in brownfield scenarios.

Updates TGW and attached VPC routing tables to ensure network reachability to/from VPCs based on connectivity policy.

Exception handling and alerting if duplicate IPs are detected while onboarding.

Migrates to next-gen architecture, like CloudWAN seamlessly. Set up CloudWAN, segments, and attachments.

Keeps backward compatibility between VPC peering, TGW, and CloudWAN using common abstraction.

Orchestrates attachment of Direct Connect GW (VIF creation) to Transit Gateway as an underlay.

Seamless Cross account peering between app / Infra accounts.

High-performance Encrypted Overlay abstracted over any underlying transport.

Achieve network-layer segmentation using the Prosimo policy engine.

  • This ensures only authorized traffic flow not only between entire VPCs/VNETs but also between specific subnets.

App Layer Connectivity and Segmentation

Sets up Private link and NLB endpoints to establish transit that connects application endpoints or services (FQDNs, PaaS, and Serverless apps).

  • Organizations need not worry about applications with overlapping addresses and can implement use cases such as B2B access where network layer access is not feasible.

Extends regional construct like private link to connect to applications in any region or cloud, including DCs.

  • Organizations with shared services centralized in one region or one cloud can use rosimo to orchestrate private link connectivity to applications in other regions or other clouds which access the shared service.

Creates and manages Private hosted zones in Route 53 to attract traffic at the DNS layer from user endpoints or source VPCs to targets

Creates a segment around each application or FQDN and allows authorized access strictly based on policies.

Provides L7 visibility and insights such as total response time at the HTTP layer and break down at each hop (Cloud ingress, backbone, application VPC)

Fault Tolerance

Leverages Elastic Kubernetes Service (EKS) as a cloud-native data path.

  • This allows the platform provides horizontal auto-scaling and auto-failover capabilities versus manually managing multiple appliances and scaling them separately.

Uses CloudFormation to orchestrate or deploy regional K8 clusters with autoscaling for gateway HA.

Orchestrates Gateway load balancers to ensure network High Availability.

Security

Provides TLS encrypted data path across transit established over native peerings, private links, and TGW attachments.

Provides multiple layers of security (Geo-fencing, IP, certificates, Device posture, and so on) native to the platform.

  • Organizations create a secure boundary around each application and implement ZTNA based on a variety of access criteria.

Provides Embedded WAF to protect against cyber threats for the application layer (SQLi, XSS, and so on).

An optional Connector can be deployed for micro-segmentation within VPC.

Seamless firewall insertion ( AWS managed FW: Palo Alto ) for east-west traffic within a region or other regions/clouds.

Optimization

#1
Turns AWS backbone into express lanes to balance cost versus performance requirements.
#2
Orchestrates AWS Global accelerator(GA) for optimal performance for latency-sensitive apps.
#3
Adds other L4-L7 optimizations capabilities(caching, compression, etc.,) native within the Prosimo platform.
Previous
Next
These capabilities enable organizations to implement ZTNA for users with consistent and optimal application performance and experience.

Operational Outcomes

Gain visibility, and improve uptime

Prosimo’s AXI measures network quality across CSP network segments as well as application response times – discerning between network and application issues results in meaningful reductions in MTTR.

Maintain consistent segmentation across the cloud

Once deployed, Prosimo provides the framework to configure and deploy segmentation policies consistently across multiple VPCs and regions in the cloud. This ensures bi-directional communication flow only between authorized endpoints and networks.

Autonomous Cloud Networking

Prosimo’s Autonomous Cloud Networking is enabled by adding machine learning and AI functions that analyze the network fabric. Recommendations for improving performance or reducing egress charges are delivered every 24 hours.

A network as flexible as the cloud

Accepting a daily recommendation or making deterministic changes to the transit fabric are hitless and executed in minutes, thanks to a cloud-native network fabric that maintains consistent policy regardless of changes to the network path.

Summary

With Prosimo, organizations gain the flexibility to take advantage of the many networking services AWS offers to build a cloud network. In addition, they can implement a variety of use cases using advanced networking features native to the platform.

To see Prosimo in action sign-up for a trial in AWS marketplace.

Get started with Prosimo

Run an assessment in your environment on Prosimo
to see the state of your infrastructure.