Building Secure, Private Cloud Networks for AWS Bedrock

Joint Technical Webinar

SOLUTION BRIEF

Extending GCP Cloud Native Services for Cloud Networking

How Enterprises can put together disparate services from GCP in their Cloud Networking Architecture

By Chinedu egonu

Challenge

Organizations frequently choose GCP as their go-to cloud provider to reap the many benefits of the services to accelerate their digital journey.  Cloud architects planning their network architecture in GCP have access to multiple network services that fulfill their requirements. Despite recognition from Gartner that cloud providers’ native networking capabilities should provide the foundations,  enterprise teams struggle to keep up with the myriad of services to create a cohesive and scalable architecture.  In addition to the challenge of keeping up, there are advanced networking use cases, including overlapping IP addresses, application layer segmentation, B2B access, and Zero Trust Network Access (ZTNA), which make enterprises look for a cloud networking software solution to deploy and manage their architecture at scale.

The typical networking services that enterprises deploy within GCP  to solve their myriad of use cases can be  grouped into the following categories:

  • Network layer Connectivity – Connectivity and routing needs of the VPCs and network segments in their DCs can be achieved using Cloud Router, native peering attachment, and so on.
  • Fault Tolerance and high availability can be achieved using GKE, Service Accounts, Regional Load balancers, etc.
  • App layer connectivity – Connectivity can be achieved using private service connect endpoints, regional Load balancers, etc.
  • Cloud network security can be achieved using native functions like traffic encryption, firewall rules, and Cloud Firewalls.
  • Traffic Optimization by leveraging the GCP backbone, Premium Network Service Tier.

&nbsp

The effective use of these cloud-native networking services demands specialized expertise, which takes time to acquire, leading to delays in the project schedule for cloud-related endeavors. Furthermore, manual integration of these cloud-native features can result in a complex network that becomes increasingly difficult to manage and operate as it expands to cover numerous VPCs across various regions. Enterprise customers of Prosimo have raised concerns such as inconsistent security measures, sub-optimal traffic routing, and poor application performance or user experience during the building process of their cloud network.

Cloud-Native Solution for a Cloud-Native Problem

To steer clear of these obstacles, Enterprises leverage a cloud networking software solution ( tracked as MCNS market by Gartner ) that is proficient in the cloud-native services, equipped with the suitable abstraction layer to mask the complexity and extend the value by solving advanced use cases.  These are some of the numerous features that Prosimo’s customers benefit from when utilizing the Application Experience Infrastructure (AXI) Platform in their cloud environment.

The Prosimo platform is a cloud-native full-stack multicloud networking solution that establishes connectivity by working with individual cloud service providers’ most efficient network services without the bottlenecks of monolithic virtual appliances.

The Prosimo Platform provides :

  • Orchestrates connectivity using native network functions in the cloud provider’s environment.
  • Solves for advanced use cases such as overlapping IP, service insertion.
  • Selects the best possible path for traffic across regions and data centers.
  • Creates a unified network architecture to attach network, FQDNs, PaaS 
  • Provides you with a global view of your cloud networks and applications. 

Bringing Together Cloud-Native Transit with Prosimo and GCP

With the Prosimo platform integrated into the GCP environment, organizations can easily take advantage of the numerous native networking services available in any region. This puts all the necessary elements for building a robust cloud networking infrastructure in place.

Organizations can then utilize the advanced networking features within the Prosimo platform to implement use cases such as creating a secure and optimized network fabric for efficient communication between applications and networks and securing user access to cloud resources using Zero Trust principles. These capabilities and more are discussed further in the following sections.

App Layer Connectivity and Segmentation

Establishes transit by configuring Private Service Connect endpoints and service attachments, which connect application endpoints or services (such as Fully Qualified Domain Names, Platform-as-a-Service offerings, and serverless applications).

  • Organizations need not worry about applications with overlapping addresses and can implement use cases such as B2B access where network layer access is not feasible.

Extends regional constructs such as Private Service Connect to support applications in any region or cloud, including data centers.

  • Organizations with shared services centralized in one region or one cloud can use Prosimo to orchestrate private link connectivity to applications in other regions or clouds that access the shared service.

Provides Layer 7 visibility and insights, including the total response time at the HTTP layer and a breakdown of response times at each hop (Cloud Ingress, backbone, and application VPC).

Sets up and manages Private DNS zones in Cloud DNS Service Directory to direct traffic at the DNS layer from source VPCs to target destinations.

Creates a dedicated segment for each application/FQDN and allows authorized access based strictly on policies.

Network Connectivity and Segmentation

Orchestrates new Direct Peering connections and utilizes Cloud Router to enable connectivity with existing Google VPCs.

Modifies the routing tables of attached VPCs to ensure network access to and from VPCs, per connectivity policies.

Implements exception handling and alerting mechanisms to identify and address any instances of duplicate IP addresses during onboarding.

Facilitates the attachment of Cloud Interconnect to Cloud Router as an underlay.

Enables seamless cross-account peering between application and infrastructure accounts.

Enables high-performance encryption over any underlying transport, including Cloud Interconnect.

Achieve network-layer segmentation using the Prosimo policy engine.

  • This ensures only authorized traffic flow between entire VPCs/VNETs and between specific subnets.

Fault Tolerance

Employs Service Account to deploy regional Kubernetes clusters that have autoscaling enabled for gateway high availability.

Orchestrates the deployment of RegionalLoad Balancers to ensure high network availability.

Makes use of Google Kubernetes Engine (GKE) as a cloud-native data path to improve data-path efficiency.

  • This allows the platform provides horizontal auto-scaling and auto-failover capabilities versus manually managing multiple appliances and scaling them separately.

Security

Enables TLS encryption for data transit across native peerings, Private Service Connects, and NCC (Network Connectivity Center) attachments.

Offers an optional Connector that can be deployed for micro-segmentation within the VPC.

Allows for seamless insertion of firewalls for east-west traffic within a region, as well as across regions or clouds.

Provides multiple layers of platform-native security, including geo-fencing, IP-based and certificate-based security, device posture checks, etc. Organizations create a secure boundary around each application and implement ZTNA based on a variety of access criteria.

Includes an embedded Web Application Firewall (WAF) that safeguards against cyber threats at the application layer, such as SQL injection and cross-site scripting (XSS).

Optimization

#1

Utilizes the Google Cloud backbone to create express lanes that balance performance and cost requirements.

#2

Orchestrates Premium Network Service Tier to maximize the performance of latency-sensitive applications.

#3

Provides additional L4-L7 optimization capabilities, such as caching and compression, natively integrated into the Prosimo platform.

These capabilities enable organizations to implement ZTNA for users with consistent and optimal application performance and experience.

Operational Outcomes

Gain visibility, and improve uptime

Prosimo’s measures network quality across CSP network segments as well as application response times – discerning between network and application issues results in meaningful reductions in MTTR.

Maintain consistent segmentation across the cloud

Once deployed, Prosimo provides the framework to configure and deploy segmentation policies consistently across multiple VPCs and regions in the cloud. This ensures bi-directional communication flow only between authorized endpoints and networks.

Autonomous Cloud Networking

Prosimo’s Autonomous Cloud Networking is enabled by adding machine learning and AI functions that analyze the network fabric. Recommendations for improving performance or reducing egress charges are delivered every 24 hours.

A network as flexible as the cloud

Accepting a daily recommendation or making deterministic changes to the transit fabric are hitless and executed in minutes, thanks to a cloud-native network fabric that maintains consistent policy regardless of changes to the network path.

Extend networking constructs from GCP to multiple clouds

Organizations today often operate in multiple cloud environments and need a reliable, best-of-breed solution to address their connectivity, security, performance, and observability requirements.

With Prosimo, GCP customers can easily connect to other cloud environments and scale by deploying the cloud-native platform in other clouds in minutes. The platform enables seamless communication between endpoints and segments, whether a lambda function in AWS communicating with GCP cloud storage, a SQL database in the data center, colo communicating with Cloud Data Fusion, or an instance of Grafana running in an Azure VNET that monitors Compute Engine instances.

Prosimo enforces proper security and optimization policies and provides visibility across the hybrid multicloud environment. For other clouds, Prosimo abstracts the native services into a common networking framework, and enterprises do not have to retool or retain their staff to learn additional services. This saves several months while extending to new clouds, reduces TCO, and enables the same advanced capabilities across any cloud.