Single-cloud environments can be redundant. One expert disagrees with this opinion and explains why.
High-availability digital infrastructures were the holy grail before cloud computing. This meant redundant network providers, redundant information centers, and redundant internet service provider providers to eliminate any single point of failure that could cause an organization to fail.
All that changed when cloud computing was introduced. Cloud providers claimed that computing and storage cloud environments are redundant and that a single provider can use multiple data centers to ensure safety. Even more attractive, the cost of switching to cloud computing appeared to be much lower from an operational perspective.
SEE: Google Chrome: Security tips and UI tips that you should know (TechRepublic Premium)
Michael Gibbs, the CEO of Go Cloud Architects (a global organization offering training in cloud computing), stated that he wanted to clear the air regarding cloud computing environments during an email conversation.
Single-cloud computing environments pose a risk
Gibbs explains that using one cloud provider can be risky.
- A single-cloud provider means an organization works with one network provider and it is a single point for failure.
- Multiple data centers are used by single-cloud providers to advertise redundancy. However, data centers share a common Control planeGibbs explained that the control plane is what makes the cloud work. The cloud control plan orchestrates the network and data centres. If anything happens to the cloud control plane, that will likely turn into a single-point-of-failure outage.
- Cybercriminals target cloud providers as high-value targets. Cybercriminals can gain control of the cloud and access customer and business data. If they are successful in an attack, they may also be able to block access to the cloud-computing services.
Gibbs offers the following example: Imagine what would happen if there was an outage and a hospital and 911 dispatch center were hosted by one cloud provider.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
We all know that cloud outages can happen. Last year, there were many Highly rated cloud service providersNumerous outages led to major outages. Gibbs said that cloud providers have some of the best equipment and staff in the world. Tech fails, and we must plan for it.
Multicloud environments are the solution
Gibbs insists that multicloud environments should be used.
Multicloud is when multiple cloud computing and storage services are used in a single heterogeneous environment. This also includes the distribution and use of cloud assets, software, and applications across multiple cloud-hosting environment. Multicloud environments are typically composed of two or more public clouds and multiple private clouds. They aim to eliminate reliance on one cloud provider.
Gibbs then looked at what it takes to support multicloud environments. It is highly recommended to build two identical clouds with open-source tools like the ones below.
- Open databases (MariaDB, MongoDB, Apache Casandra)
- Open Kubernetes services
- Standard networking protocols (BGP, 802.11q)
- Open Linux (Ubuntu, Red Hat, CentOS)
Gibbs says that security should not be viewed as a vendor-exclusive service. In many cases, marketplace security is more secure than cloud-native security tools.
Gibbs recommends the following:
- Marketplace firewalls and VPN concentrators can be used to hold nearly identical configurations in both clouds (Cisco Palo Alto Fortinet, Checkpoint, Fortinet, Checkpoint etc.).).
- Assuring that every side of a network has the same security configuration.
- A network load balancer will front end two virtual firewalls within each cloud. This is followed by network access controls lists, security groups and host-based firewalls. Endpoint protection and similar identity management policies are also included.
Network connections
Gibbs says that the router connecting with each cloud provider should have redundant lines cards, redundant control module, and redundant power supplies.
Gibbs suggests that each connection should have a high-availability router. Each WAN connection to a cloud provider (EthernetWAN), should be from a different network service supplier. Every WAN connection to cloud provider should be from a different network service provider.
Two internet connections across two internet service providers are needed at the customer’s site connecting to the internet with BGP for load sharing and optimized routing, Gibbs says. If one of the primary network connections fails, there should be backup VPNs available on the customer site.
Gibbs has more thoughts
- Each site, each customer site, and each provider should use a different CIDR. This can be easily combined into a single route if needed.
- It is recommended that you set up nearly identical BGP policies for routing between clouds (obviously adjusted to address differences).
- If 99.99% is sufficient, then it is a good idea to use one availability zone in two clouds.
Design with super-high availability
Gibbs defined superhigh availability as networks that are available at least 99.999% of the time and don’t experience more than five minutes per year of unplanned downtime. Gibbs suggested that two availability zones (datacenters) are used to ensure this level of availability. Each zone should be located in a separate cloud. The same design as above, but with two cloud providers.
Houston, there is a problem
Many people agree that the above may seem complicated. In Lance Whitney’s TechRepublic article How to beef up your multicloud security, he writes: A full 95% of the respondents [of a Valtix survey]said they’re making multicloud a priority in 2022, with almost all of them putting security at or near the top of the list. Only 54% of respondents said they are confident they have the skills and tools to achieve this goal.
Looking back at pre-cloud computing networks, you will see that Gibbs is trying infuse the same redundancy to cloud-computing environments in order reduce the risk of single-point-failure incidents that can occur when using one cloud provider.