Global Technology Conglomerate builds full stack transit network with Prosimo in GCP.
CASE
STUDY
The company’s principal cloud architect devised a plan to streamline the GCP cloud connectivity for hundreds of network segments, lift-and-shift applications, API, and PaaS endpoints for all business units. To achieve this, the architect sought solutions that fulfilled the following requirements.
Key Requirements
Utilize GCP cloud-native services such as Cloud Interconnect, Cloud Router, and Private Service Connect as an underlay.
Manage access to multiple business units accounts in GCP through a single pane of glass.
Simplify management of stacks and dashboards, while improving visibility of traffic flow between endpoints, VPCs, and accounts across regions and data centers.
Ensure high-performance traffic encryption for network traffic.
Secure and optimized network transit across multiple applications in GCP.
Prosimo made it easy for the company to manage all its accounts within Google Cloud Platform from one place. The platform's data plane was in one account, and they connected it to other accounts using Google's cloud backbone.
Private access to Google cloud storage service for Onprem.
Prosimo made the business unit's database backup better by making it more secure. They did this by organizing the network and using a web application firewall to check the database traffic.
Direct/Secure Connectivity between GCP and AWS cloud environment.
Prosimo's cloud-native platform simplifies deployment and management, providing direct and secure connectivity between AWS and GCP. Its centralized policy engine enforces segmentation policies, and the single pane of glass offers comprehensive visibility into traffic flows up to layer 7 between the two cloud environments.
Reduced cloud spend
Prosimo allows the company to consolidate multiple clusters per region to a single cluster per region–reducing operational costs due to management efficiencies and reduced cloud infrastructure needs.
“Prosimo allowed us to take a giant leap forward in our cloud transformation journey by integrating with our infrastructure as a code development model. All we have to do is set a target, and Prosimo connects everything for us in the background. We don’t have to worry about different CSPs, their various tools, or whether our enterprise policies and services are being applied consistently and appropriately. Prosimo gives us a single point of control for connecting everything together and ensuring powerful application experiences that meet our needs.” - Director of Infrastructure and Cloud Architecture
Business agility requires cloud transformation
A Global Technology conglomerate enhanced its scalability and met its business units’ specific requirements more efficiently by using the Google Cloud Platform (GCP) instead of relying solely on on-premises deployments. Though GCP is their primary cloud, the 45+ business unit conglomerate could independently build and manage applications on any public cloud based on their needs, which allowed for increased flexibility. However, connecting applications and data across multiple regions and five data centers remained a significant challenge for the company. The company also needed help connecting applications and users with redundant security processes. Normalizing IP networks and security across hybrid cloud deployments significantly strained the company’s network infrastructure operations.
The company’s principal cloud architect devised a plan to streamline the GCP cloud connectivity for hundreds of network segments, lift-and-shift applications, API, and PaaS endpoints for all business units. After exploring conventional network solutions, the architect turned to Prosimo to understand how their services could help the company address its challenges.
Prosimo accelerates time to value through Full-Stack Cloud Transit.
Prosimo offers a full-stack cloud transit solution that simplifies networking, security, and content delivery through a single operational deployment. This stack includes two primary data plane components: edge gateways and connectors. The Edge gateways are deployed in any region within the Google Cloud Platform. At the same time, the connectors are lightweight virtual appliances that connect the data center to the GCP Cloud through the edge gateway. The edge gateway is a Kubernetes-based services stack orchestrated on the GCP infrastructure, providing greater flexibility and scalability than fixed virtual appliances and service chains. Once deployed, the gateways create a mesh fabric with other gateways deployed in other regions, using the GCP backbone for connectivity. This fabric enables cloud transit, where network, security, and content delivery policy and observability can be deployed consistently across regions in minutes. It also orchestrates and integrates with the cloud-native network functions found in each GCP region. Prosimo brings you as close to the CSP’s network infrastructure as possible while avoiding technical debt.
The cloud architect positively identified three use cases requiring solutions for business units with GCP-deployed applications. We thoroughly explored these use cases and the technical value that Prosimo delivered by overcoming the challenges they presented.
Use Case 1 - Secure and optimized network transit across multiple business units with applications in GCP
Multiple business units operated various applications within network segments communicating across data centers and Google Cloud regions. Connectivity was established using a secure tunnel over the public network, with traffic encrypted using a secure VPN overlay. Despite this, several notable challenges were experienced:
- Each business unit operated siloed networks, which significantly strained operations.
- Interconnecting network segments between business units in the cloud required hairpin through the data center, which impacted performance.
- Performance was also impacted due to the throughput limit of 1.5Gbps when using the secure overlay between the data center and the cloud, making it challenging to accommodate sudden bursts of traffic, especially for data backup.
The architect specified the following prerequisites to tackle the challenges and achieve successful implementation of this use case:
- Network transit that enables network segments across data centers and GCP regions.
- Overlay requirements that support 2-5 Gbps throughput, high-performance traffic encryption, minimal configuration, and no manual route advertisements. This overlay must be able to support sudden bursts in traffic.
- The ability to extend segmentation of business unit networks to VPCs in GCP.
Prosimo Technical Value
The Prosimo platform allowed the company to easily manage all of its BU accounts within GCP from a single interface. The platform’s data plane components were deployed and managed within a single account, and connectivity was established to VPCs in other accounts managed by the business units using the Google cloud backbone.
Additional values provided by the Prosimo platform were as follows:
- Network transit was achieved using Google Cloud interconnect, cloud router, and other native GCP services as underlay connectivity.
- High-performance encryption was provided up to 10Gbps, ensuring no tradeoffs between security and performance.
- Network overlay orchestration required minimal configuration.
GCP-native edge gateways based on Kubernetes constructs provided autoscaling capabilities to accommodate sudden bursts in traffic. - A centralized policy engine allowed the operations team to manage traffic flow within the hybrid cloud environment easily.
- Namespace capability within the connectors in the DC allowed the operations team to extend segmentation (VRF) policies from the DC to the GCP cloud for all business units.
- Regional Kubernetes edge gateways enabled the company to scale to new VPCs and regions in minutes.
- Cloud and network insights provided easier troubleshooting and lower mean time to resolution (MTTR).
Use Case 2 - Private access to Google cloud storage service for Onprem hosts.
In this scenario, a business unit utilized the Google Cloud Storage service for database redundancy and regularly scheduled backups from the database deployed in the data center. A secure tunnel is created over the public network to establish connectivity, and all traffic is encrypted using a secure VPN overlay.
The architect identified two challenges when implementing this use case:
- The scheduled backups required sudden bursts of traffic, but the secure VPN’s throughput limits adversely impacted the backup process’s performance.
- Running the secure VPN over the public network did not comply with the company’s security compliance guidelines.
The architect identified security and flexibility as the primary requirements for this use case, with the following specific needs:
- Secure transfer of backups from the data center to GCP cloud storage over a private network.
- Traffic inspection to detect threats like SQLi and XSS due to the sensitive nature of the corporate data in the backups.
- A flexible network capable of accommodating sudden traffic bursts.
Prosimo Technical Value
The Prosimo platform provided several technical values to the business unit for their database backup use case. Firstly, it orchestrated a secure network using the company’s private network in GCP as the underlay with minimal configuration, which ensured compliance requirements were met quickly. Additionally, the platform provided an embedded web application firewall to inspect database traffic, protecting against potential threats such as SQL injection and cross-site scripting.
Additional values provided by the Prosimo platform were as follows:
- The platform offered high-performance encryption up to 10Gbps, ensuring no trade-offs between security and performance.
- GCP-native edge gateways based on Kubernetes constructs were used to accommodate sudden bursts in traffic through autoscaling capabilities,
- The platform provided up to L7 visibility and insights since the target was an API endpoint and traffic was proxied through the edge gateway
Use Case 3 - Direct/Secure Connectivity between GCP and AWS cloud environments.
The company had a strategy of providing flexibility to developers to pick the best cloud services available for their business needs. With that, some business units started utilizing AWS cloud services while others continued to use GCP services. Any communication between these app services of disparate business units posed a challenge as the connectivity between the two clouds was routed through the data center.
The architect identified the following challenges related to hair-pinning connectivity.
- Sub-optimal routing through the data center leading to decreased performance for applications services within the same region.
- Direct connectivity and networking between the different cloud services require specialized skills to deploy and manage the necessary services from the cloud providers.
- Operational complexity and potential for misconfigurations and errors, especially as the number of cloud services and business units grow.
- Additionally, implementing proper segmentation between the clouds took a lot of work.
To overcome these challenges and ensure a successful implementation of this use case, the architect identified the following requirements as essential:
- Connectivity and networking should be done directly between GCP and AWS cloud environments.
- No hairpin through the data center is desired.
- Segmentation policies should be enforced in the cloud and not through the data center.
- Provide adequate visibility for traffic flow between the endpoints communicating in the different cloud environments to root cause any performance bottlenecks.
Prosimo Technical Value
The company quickly realized that the Prosimo platform was well-suited for use cases like theirs. Its cloud-native architecture made deployment and management easy and provided the following benefits:
- The platform automatically orchestrated deployment within both AWS and GCP, and established direct and secure connectivity between the two cloud environments without requiring manual intervention from an administrator.
- Prosimo’s centralized policy engine simplified the deployment and enforcement of segmentation policies across the platform, ensuring that only authorized traffic from each business unit’s applications could flow between the cloud environments.
- Administrators gained comprehensive visibility into traffic flows, up to layer 7, between the GCP and AWS environments through a single pane of glass provided by the platform.
The bigger
picture
Prosimo’s full-stack transit solution is designed to deploy seamlessly alongside existing network infrastructure, without requiring significant changes or disrupting ongoing operations. The platform’s cloud-native architecture and flexible deployment options enable companies to migrate gradually to the new infrastructure, reducing risks associated with sudden transitions
For the Global Technology conglomerate, deploying Prosimo’s full-stack cloud transit helped increase the speed of its cloud infrastructure rollout by 80%. This was achieved by minimizing exposure to operational risks and by providing an efficient, secure, and scalable cloud networking solution.