TECH PERSPECTIVE / WHITE PAPER
8 OCTOBER 2018
In a previous article, we looked at how a range of considerations from Internet architecture principles, cyber security, Government-led filtering and data sovereignty can impact a user’s experiences when accessing enterprise applications in the Cloud over the Internet.
The good news is that all is not lost. Solutions exist to overcome unpredictable latency, high packet loss and the risk of volumetric DDoS attack, providing end users with reliable and secure access to their Cloud applications and enabling the global enterprise to continue along the highway to digital transformation.
Making the Internet Work Globally
As previously established, while the Internet represents a low-cost option for enterprise WAN connectivity, it is not without its performance limitations. Net neutrality, peering & interconnections, exponential growth and congestion all contribute to 2 conditions which can render a Cloud application unusable; latency and packet loss.
But that does not mean that the Internet cannot be used in an enterprise’s Hybrid WAN underlay; especially as we see the rise in popularity of Software-Defined WAN, or “SD-WAN”. But there are no guarantees with the Internet, and therein lies one of the biggest challenges in mastering its use in a global network.
In theory, a Network Manager intent on taking full advantage of low-cost Internet access to connect his sites to his corporate network could try to select Internet Service Providers with “on-net” connections to the Cloud Service Providers they use, with a global backbone and local access networks for carrying Cloud traffic to all the markets the enterprise operates in …. if they can find this information out.
Of course, the more widespread the users, network economics suggests the less possible this is likely to be.
And while this would ensure traffic between end-users and Cloud applications didn’t leave the ISP backbone, thereby avoiding the bottlenecks and inefficient routing typical of ever-changing Internet peering, connectivity to the Cloud would remain “best-efforts” (because it is the Internet), lacking the performance guarantees often required to provide peace-of-mind.
Hence most global telcos offer premium products like MPLS and Ethernet to provide these guarantees. But unlike the public Internet, these are private network technologies, so how can a private enterprise network connect to a public Cloud platform without going over the Internet?
Network Performance Guarantees to the Cloud
To overcome the potential performance issues that can arise when Cloud-bound traffic transits long distances over the Internet, an enterprise can look to connect their users to their Cloud applications over the corporate WAN, via direct Cloud connectivity.
By leveraging performance-controlled MPLS or Ethernet, the unpredictability of the Internet; wildly variable latency, congestion-driven packet loss, peering changes, all disappears immediately. And because private network-to-Cloud extensions are backed by performance guarantees and SLAs like those associated with connecting into traditional data centers, I/O teams can make maximum use of the Cloud to support their business’ digital transformation programs.
Furthermore, because private direct connections can be delivered from within the enterprise network, they offer immediate benefit to all remote locations connected to the WAN, with connections opened as if the Cloud platform was “on-net”.
Cyber-Attacks Negated
Because the Cloud platform connects on a private basis, security is improved, and the risk of malicious attack reduced. MPLS is inherently secure; internal network addressing and infrastructure is “hidden” from the external world. It’s as if there is a firmly locked door standing between application and unauthorized users on Internet. Internal core routing information is not even disclosed within a client VPN; the only addresses visible to the Customer Edge (CE) devices are the addresses of the MPLS Provider Edge (PE) routers, not those of the core Provider (P) routers. To make things even more secure, even these addresses can be hidden.
Even traffic passing over a hybrid WAN underlay like that offered by GCX, where low cost Internet is used as a local access circuit and IPSec-encrypted traffic is off-loaded from the Internet onto an MPLS core, is less prone to attack since it simply spends less time on the public Internet.
And without a clear target to direct an attack towards, even Volumetric DDoS becomes much more difficult to initiate.
Sites connecting via direct Cloud connectivity are also secure against address spoofing. MPLS packets are not forwarded based on the IP destination address like Internet packets but based on labels that are prepended by the MPLS PE routers.
Like IP spoofing attacks, attackers should, in theory, be able to spoof the label of an MPLS packet from a compromised CE device. However, since MPLS PE routers do not accept packets with labels prepended from CE routers, label spoofing in MPLS networks is simply impossible.
So, as you can see, direct Cloud connectivity using MPLS is inherently secure, offering in-built protection from most common cyber-attacks.
And in addition, most corporate networks already have sophisticated security perimeters protecting locations and users within that perimeter, meaning these defenses can be further used to secure activity between users and applications hosted in public Cloud platforms.
All of this means most DDoS attacks can be avoided, even without the need for a DDoS mitigation service. It also means the risk of data leakage from outside attackers exploiting vulnerabilities through MitM attack decreases drastically as data is transmitted back-and-forth in secure VRFs, while the use of private domain subnets makes it much harder for attackers to explore vulnerabilities leading to a profile targeted attack.
In summary, direct Cloud connectivity offers considerable benefits both in terms of application performance and security risk management.
Overcoming Government-Imposed Barriers
Direct Cloud connectivity can also be used to overcome issues arising from Government intervention, filtering and blocking that is leading to ‘the Splinternet’. For enterprises with users based in countries subject to content filtering at the border, Gartner Analyst Neil Rickard recommends:
“Use hybrid WANs with non-internet backbones (such as MPLS or Ethernet) rather than purely internet-based VPNs when connecting WANs to and from markets with national-level filtering in order to avoid application performance issues,”1
Neil Rickard, Gartner Analyst
While for those enterprises with users in countries where access to Cloud services is blocked by national-level filtering, Rickard’s advises:
“Provide access to your critical cloud services in countries where filtering may block them by routing cloud traffic over your private WAN, rather than the internet, in these markets,”
“Limit access to your specific cloud service instances, not the broader uncensored internet, to comply with regulations in restricted markets by using direct cloud connectivity or application-specific routing.”2
Complying with Data Sovereignty Laws
Even onerous data sovereignty laws, such as those applied in the EU, can be complied with, with direct Cloud connectivity providers able to control the flow of traffic across their private backbone networks in a way which is simply impossible on the net neutrality-based Internet.
CLOUD X Fusion from GCX
CLOUD X Fusion from Global Cloud Xchange is a high performance direct Cloud connectivity solution offering seamless access from GCX’s private global network into the leading Cloud platforms including AWS, Microsoft Azure & Office 365, and IBM Cloud among others, on a global scale.
For the connected enterprise this means:
- Guaranteed network performance when you connect to your Cloud applications using SLA-backed private MPLS, Ethernet or Hybrid WAN, taking latency and packet loss out of the equation.
- Drastically reduced risk of cyber-attack because Cloud traffic is transported on a private global backbone, and is therefore hidden from prying eyes on the Internet
- Cost of ownership is reduced as existing network assets can be sweated for maximum financial benefit matched by on-demand consumption
- Avoidance of service-impacting Government filtering or blocking
- Compliance with regulations and data sovereignty laws
1, 2 Gartner, Coping With the Splinternet: The Impact of Internet Fragmentation on Global Enterprise Networks, 24 August 2018
