September 2, 2014 | Written by: IBM Cloud Staff
Share this post:
By Hartmut Penner, Tarun Chopra and Bob St. John
It is widely accepted that hybrid cloud offers a multitude of financial and technical benefits, but there also are challenges to be considered when moving forward with a hybrid cloud strategy. Paramount among those challenges is network security—specifically protecting against threats to data privacy when extending on-premises private compute infrastructure to an off-premises public cloud infrastructure.
As part of our study of potential and possibilities provided by a hybrid cloud consisting of System z and SoftLayer public cloud resources, we examined this issue a blueprint for a secure network infrastructure spanning between on-premises and off premises cloud infrastructure.
For this study, the infrastructure is agnostic of the cloud deployment methodology; it works with bare metal servers as well as with CloudLayer Computing Instances or a cloud-computing platform like OpenStack. The secure network infrastructure is built around the SoftLayer network gateway and its rich set of functions and features provides the building blocks for setting up the secure hybrid environment described below.
(Related: Benefits and challenges of hybrid cloud: Use cases for System z)
The network gateway provides an IPsec infrastructure based on open-source technology, making it possible to connect the SoftLayer infrastructure to the on-premises data center. The advantage of the provided technology is that the on-premises network infrastructure does not need to have accessibility from the Internet. Only the IPsec endpoint on SoftLayer needs to have a public IP address and the on-premises data center can connect to this. With the VPN tunnel, both environments—on-premises and SoftLayer—are accessible by means of IP traffic without the need of additional complex routing.
As an additional feature, SoftLayer enables the use of the network gateway as the router between VLANs. After ordering private VLANs and associated IP subnets, it is possible to order bare metal or virtual servers within those pre-allocated zones. After associating the VLANs with the network gateway and enabling the routing of all traffic within the zone and between the zones will be solely controlled by the network gateway. If this network gateway is also used as VPN endpoint to the on-premises data center then it can also control traffic between the various resources—on-premises and SoftLayer cloud.
Having all the traffic routed through the network gateway, it is now possible to shape the traffic by using the built-in firewall. For each tuple of zones, the traffic can be restricted based on ports, IP address ranges and protocols to provide fine-grain control over the IP traffic within SoftLayer and to the on-premises data center.
Building a Secure Hybrid Cloud Environment
With these building blocks we are now ready to define an architectural blueprint (see figure), which will serve as the base for constructing a hybrid cloud installation with built-in security. On SoftLayer, we will allocate three private VLAN zones with an appropriate subnet size. Zone 1 will be used as a DMZ zone and will host those servers which have direct access to the Internet (e.g. Load Balancer). This Server will be protected by additional firewalls provided by SoftLayer like the Fortigate® Security Appliance.
Zone 2 (APP Zone) hosts the main functionality of the public cloud part of the hybrid solution (e.g. Application Server). Only this zone has connectivity to the on-premises data center. Zone 3 (PRIV Zone) is for private services used by the hybrid solution. It is only accessible from Zone 2 (e.g. Data cache, DB). The Network Gateway is used as the VPN Gateway to the on-premises data center and also as a firewall for the zones as described earlier.
On-premises, an appropriate DMZ will be provided for additional protection of the on-premises data center. This function can be provided using an appliance such as the WebSphere® DataPower® Integration Appliance XI52, which in addition to protection provides features like protocol conversion. The whole hybrid cloud environment can be managed from on-premises assuming the management infrastructure is within the subnet provided by the VPN.
This setup also allows new hybrid solutions to be developed with no public Internet access. The application need not be connected to the Internet until extensive testing has been completed and authentication, encryption and firewall setup are in place. Using the provided interfaces, setup of the VPN and the zoning can be fully automated using the CLI or RESTful API of the Network Appliance.
(Related: Enterprise hybrid cloud computing with System z and SoftLayer)
The configuration files for the setup are contained within simple scripts and as such can be maintained for reproducible and adaptive setup of this secured architecture. Future work will be around consumability, performance and high availability.
Our recent white paper titled Enterprise Hybrid Computing – System z and SoftLayer provides a more detailed view of security in a hybrid computing environment uses these resources.
Tarun Chopra is Program Director of System z Performance for IBM. You can follow him at @tc20640n
Hartmut Penner is Senior Technical Staff Member, System z Performance, IBM
Bob St. John is Senior Technical Staff Member, System z Performance, IBM