December 20, 2018 | Written by: Tom Yager and LESLIE LUNDQUIST
Categorized: Compute Infrastructure | Network
Share this post:
Are you compute-first or network-first?
Starting now, you can have more control over your cloud deployments. In fact, you might change how you think about your workloads.
IBM Cloud lets you approach the cloud compute-first. Each server is built to your specifications and loaded with the software you choose. Within a few minutes, they’re live on private and public networks, ready to use. You can stack up Web servers, database servers, worker nodes, and storage wherever you want. No need to think about how they’re connected. The compute-first approach is a productive paradigm for discovery and experimentation in the cloud because your network infrastructure is automated.
When you fly compute-first in IBM Cloud, you can see the VLANs, subnets, and IP addresses, but the system exclusively governs their creation, removal, and use. Going compute-first is convenient. When a network is done right, it vanishes. You can adopt a compute-first mindset that takes connectivity for granted.
Alternatively, you can adopt a network-first approach in IBM Cloud. You can purchase and control network elements. You can plan and place them before your servers are purchased, granting you the power to create secure and cross-connected application environments. The best part of going network-first? You needn’t discard your promising compute-first projects; you’ll just make a safer home for them in your pre-planned network.
Network by design
What does it take to design your network this way? Building an on-premise enterprise network from scratch requires planning, investment, and effort. But taking the time to design networks for your applications pays off handsomely later. The network-first approach results in maintainable, durable networks with fewer, more powerful points of control.
Your technical staff can design, deploy, and configure the infrastructure: switches, routers, hubs, cabling, Wi-Fi access points, inter-office WAN and internet, along with VLANs, subnets, and IP address assignments. This well-designed structure makes your network easier to expand, easier to control, and easier to understand when others need to interact with it.
Account users can operate easily within your well-designed network in a compute-first manner, focusing only on their systems and applications that safely consume services. The network they take for granted—the network you designed—is a safe and structured place to work.
With Premium VLANs available now in IBM Cloud infrastructure, you have the best of both worlds. Operating network-first doesn’t sacrifice the speed and convenience of automatic networking, and you get the security and control of a planned network deployment!
Approaching the IBM Cloud network-first begins with the purchase of Premium VLANs: See About VLANs.
Take control with premium VLANs
When you order a server into a Premium VLAN, the system creates primary public and private subnets for you, and it automatically assigns your servers default IPs, which you can customize. Moreover, a Premium VLAN lets you group and segregate your servers according to role and desired visibility, and it allows all subnets sharing a VLAN to be protected or routed by a common firewall or gateway. If you need to reconfigure your network, the Premium VLANs remain in place while you’re working.
Automatic VLANs vs. Premium VLANs
Any VLAN allows thousands of independent traffic lanes to share one physical network. IBM Cloud Premium VLANs share many traits with the IBM Cloud infrastructure’s default VLANs, called Automatic VLANs, but here are some major differences:
Difference #1: Persistence
Like any VLAN, an Automatic VLAN provides you with your own sequestered lane for your network traffic. The Automatic VLAN determines the location and routing of the new servers and subnets placed in it. However, as soon as an Automatic VLAN has no servers or subnets on it, the IBM Cloud infrastructure system deletes it.
Unlike Automatic VLANs, Premium VLANs don’t disappear when they’re empty. They remain available as your usage patterns shift and change. When a Premium VLAN is empty—meaning that it contains no subnets—you can decide to delete it or leave it in place for future use.
Difference #2: Select your data center and pod
When you buy a Premium VLAN, you’ll choose a data center in IBM’s global network. Typically, you’d choose one that’s near you or your application’s users in order to reduce latency. You can specify a pod (a group of servers that are cabled to a common set of public and private routers within a data center) or you can let the IBM Cloud system select one for you. You can even attach descriptive text to your Premium VLANs to keep them organized.
Using these identifiers, Premium VLANs are easy to select later if you order new compute servers or if you need to specify which of your VLANs to protect with gateways and firewalls.
How would I use a Premium VLAN?
In IBM Cloud, Automatic VLANs are a good way to get started, but Premium VLANs are more versatile, giving you much finer control over your network’s configuration and security. Furthermore, Premium VLANs make security easy to maintain, even during times when you’re reconfiguring your internal network and servers.
As a best practice, all VLANs that are reachable from the public internet (“public VLANs”) should be protected by a gateway or firewall. That way, all subnets and servers within the VLAN have critical protection.
By using multiple Premium VLANs, you can segregate servers into tiers for security. For example, you can segregate Web and other public-facing servers from database servers so that sensitive data isn’t at risk if a public server is compromised.
Multiple VLANs and gateway appliances
Even if your VLANs aren’t reachable from the public internet (“private VLANs”), they may need to be protected from undesired network traffic. If you place a gateway appliance, such as a Virtual Router Appliance (VRA) or Juniper vSRX, in the same pod as the VLANs it protects, you can define rules that allow only legitimate, tier-to-tier communication. Also, by configuring in this way, you can create connections to different VLANs in a pod, selectively.
What if you prefer to make all of your private IPs globally reachable within your account? If you enable VLAN spanning, all private VLANs and subnets are reachable from any cloud server in your account. With the “stickiness” of Premium VLANs, it’s easy to configure and reconfigure your private VLANs as your projects and workloads evolve.
With VLAN spanning enabled, you still can segregate selected VLANs by placing a gateway appliance in each pod you want to segregate. Rules in the gateway can determine which VLANs or subnets should communicate, and one gateway can handle multiple VLANs in the same pod.
With IBM Cloud Premium VLANs, you can enjoy the benefits of compute-first and network-first thinking. You can rest assured that your network design and configuration will support all your security and workload requirements.
To learn more about Premium VLANs, see our IBM Cloud documentation.