@CloudExpo Authors: Liz McMillan, Zakia Bouachraoui, Yeshim Deniz, Pat Romanski, Elizabeth White

Related Topics: @CloudExpo, Containers Expo Blog

@CloudExpo: Blog Feed Post

Beyond the Amazon Virtual Private Cloud

Amazon VPC enables enterprises to connect their existing infrastructure to a set of isolated AWS compute resources

Amazon's virtual private cloud allows for Amazon EC2 instances to exist within a VPN environment, managed by an organization's existing network security infrastructure. As Steve Riley defines Amazon Virtual Private Cloud;

Amazon VPC enables enterprises to connect their existing infrastructure to a set of isolated AWS compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources

Before Amazon Virtual Private Cloud, Amazon EC2 instances outside the firewall were not under the control of internal network management systems. They were the equivalent of remote workers, cut loose from corporate infrastructure management:

With Amazon Virtual Private Cloud, the Amazon EC2 images can be assigned IP addresses from a range selected by the owner organization. Thus they can be brought into the control of that organization's network management systems, as diagrammed below:

This is definitely a step in the right direction. The clear next steps are:

1) Other Cloud services besides Amazon EC2.
What about the connections to Force.com, or Google Apps? Not to mention other Amazon Web Services services such as Amazon SQS.
2) Governance, including Identity and Access Management.
Network Management defines which computers can talk to other computers. But identity and access management defines which users can use which applications, and how they can use them. This is the realm of products such as Microsoft Active Directory, CA SiteMinder, and LDAP products such as Novell eDirectory. If an organizations wishes to bring their identity management

infrastructure to bear on their usage of Cloud services, how can they do this?

To illustrate this, look at the diagram below. We see that network management of the Amazon EC2 service is taken care of by Amazon Virtual Private Cloud. This is now controlled by an organization's on-premises network management infrastructure. But identity and access management of the Cloud services requires a link to the organization's existing on-premises identity and access management infrastructure. Also, while the Amazon EC2 service is within the Amazon Virtual Private Cloud, the other Cloud Services, which are accessed at the API level by API Keys and OAuth, are not:

This means that the organization's on-premises policy-based control is not being applied to all their Cloud-based services. Diving down to the technology, the conundrum is how to translate from the identity tokens used on the network (Kerberos for Windows networking, plus SAML for Web Services) up to the API keys and OAuth used at the Cloud level. This is what would allow existing on-premises identity management infrastructure to control access to Cloud services on a fine-grained level.

The solution is to use a Cloud Gateway. The Cloud Gateway Bridges the connection from the on-premises identity management infrastructure up to the Cloud services. This allows users who access applications locally (or just simply sign on to their PC's) to access Cloud Services, all the time governed under the umbrella of an identity management infrastructure. Rules applied to internal applications, governing who can access which applications and how they can use it, can now be applied in the same way to Cloud-based applications.

The Cloud Gateway allows on-premises Identity and Access Management to govern Cloud usage. This is analogous to how, at a network level, the Amazon Virtual Private Cloud allows on-premises Network Management to manage Cloud connections. Thus a Cloud Gateway compliments and extends the Amazon Virtual Private Cloud. It allows single sign-on from on-premises applications up to Cloud-based applications, and allows an organization's identity and access management infrastructure to be brought to bear on that organization's usage of Cloud services.


Read the original blog entry...

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.

CloudEXPO Stories
With more than 30 Kubernetes solutions in the marketplace, it's tempting to think Kubernetes and the vendor ecosystem has solved the problem of operationalizing containers at scale or of automatically managing the elasticity of the underlying infrastructure that these solutions need to be truly scalable. Far from it. There are at least six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments. In this presentation, the speaker will detail these pain points and explain how cloud can address them.
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-centric compute for the most data-intensive applications. Hyperconverged systems already in place can be revitalized with vendor-agnostic, PCIe-deployed, disaggregated approach to composable, maximizing the value of previous investments.
When building large, cloud-based applications that operate at a high scale, it's important to maintain a high availability and resilience to failures. In order to do that, you must be tolerant of failures, even in light of failures in other areas of your application. "Fly two mistakes high" is an old adage in the radio control airplane hobby. It means, fly high enough so that if you make a mistake, you can continue flying with room to still make mistakes. In his session at 18th Cloud Expo, Lee Atchison, Principal Cloud Architect and Advocate at New Relic, discussed how this same philosophy can be applied to highly scaled applications, and can dramatically increase your resilience to failure.
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by sharing information within the building and with outside city infrastructure via real time shared cloud capabilities.
As Cybric's Chief Technology Officer, Mike D. Kail is responsible for the strategic vision and technical direction of the platform. Prior to founding Cybric, Mike was Yahoo's CIO and SVP of Infrastructure, where he led the IT and Data Center functions for the company. He has more than 24 years of IT Operations experience with a focus on highly-scalable architectures.