Building Secure, Private Cloud Networks for AWS Bedrock

Joint Technical Webinar

Networking announcements from GoogleNext show the value has moved up the stack. What is still missing?

Google Next 2024 commenced this week, and it’s evident that the following three key themes are at the forefront for announcements around GCP networking services.

  1. The rise of service layer networking: Several enterprises are adopting a new operating model that moves networking to the application or service layer, eliminating the complexities associated with traditional IP layer networking. This shift is reflected in a 40% total cost of ownership (TCO) reduction in customer examples, as it streamlines complex NAT rules, IP-based firewall rules, and offers enhanced observability. Private Service Connect brings this concept to life, with the GCP team introducing significant enhancements to ensure a seamless experience, including the extension to AI models.
  2. Seamless Cross-cloud / multi-cloud connectivity is critical:. Emphasizing the growing demand for a streamlined method to interconnect multiple clouds and operate them as a unified “enterprise network cloud,” Google has introduced further enhancements to its cross-cloud Interconnect offering ( which was originally at Next 2023 )
  3. Security / zero trust everywhere : Regardless of traffic patterns (ingress, egress, or east-west), the network fabric must ensure security with the right level of policy control and facilitate easy chaining of advanced services like NG-FWs to inspect traffic and safeguard workloads. Increasing demand for this requirement has been bolstered through extended partnerships Google Cloud has announced with security vendors.( Full details of all the networking-related announcements can be found here ).

The above developments strongly align with the direction that Prosimo has been pushing the market with our full-stack multi-cloud network. While we’re pleased with the vision alignment, it’s crucial to highlight foundational gaps identified in GCP’s announcements.

  1. Lack of end to end Service networking across clouds : While the producer/consumer model at the service layer functions smoothly within GCP services and its partners, introducing another cloud into the mix disrupts the end-to-end model. For instance, consider an enterprise utilizing GCP native services like Vertex AI or hosting a custom application within a GCP VPC. If they need to make these services accessible from AWS or Azure, they can’t natively extend Private Service Connect (PSC) into the other clouds. This results in manual setup of routing from the VPC or VNET, along with IP-based access to the PSC endpoint.

    The complexity escalates when services in other clouds must be reachable from the GCP VPC using PSC. This necessitates setting up a reverse proxy architecture to expose the service endpoint using private links and extending it to the GCP VPC via PSC. These challenges persist as there’s a lack of an end-to-end path at the service layer between the clouds, negating the simplifications that PSC aimed to provide.
  2. Cross-cloud interconnect stops at the entry point of other clouds : CCI aims to establish private underlay connectivity between GCP and other clouds. However, despite attempting to eliminate a third-party meet-me point, as demonstrated here, it still involves similar steps such as ordering the circuit, manually going to other cloud providers, and requesting the LOA.

    The crucial aspect of true cross-cloud connectivity lies in enabling seamless communication between workload VPCs across different cloud providers. In this model, the significant question that arises is who will be responsible for setting up the Direct Connect or ExpressRoute Gateway, transit Gateway, VWAN, ongoing attachments, and route table manipulations required to achieve end-to-end connectivity.
  3. Lack of end to end security between clouds: It’s essential to have firewalls and advanced security stacks close to cloud workloads to enforce policies and minimize lateral spread risks. Although GCP has made significant strides with security service chaining partnerships, the challenge remains in enforcing traffic proximity to workloads in AWS and Azure.

    In their current model, all traffic must be routed to GCP security services for inspection. However, this approach isn’t practical or cost-effective for enterprises. They may prefer the flexibility to run firewalls in all their cloud environments to meet their specific security needs.

This write-up isn’t about critiquing GCP’s intentions; in fact, we admire GCP’s efforts to highlight the importance of seamless multi-cloud connectivity and the shift toward elevating the stack to the app / service layer. This post aims to inform the market and enterprises dealing with complex cross-cloud networking challenges that achieving a genuine end-to-end experience by “one enterprise network cloud” is possible. This can be achieved by partnering with ISVs like Prosimo, the only full stack network solution operating across layer 3 and the service layer, with integrations spanning all major cloud providers, including Google PSC.