November 29, 2018

Why should data centers have all the fun? Network verification now available for AWS

by Charlie Elliott

What’s been the biggest change to networking in the past decade? While there have been tremendous improvements in automation, capacity and mobility, nothing has had a greater impact on IT organizations than cloud migration. We all know the business drivers behind this evolution, from cost efficiency and resource elasticity, to backup and disaster recovery. But there are still concerns and hurdles in migrating a vast majority of mission critical workloads and traffic to the cloud.

The biggest challenges have to do with loss of control and visibility; of data, network policies and security. Cloud platforms are easy to spin up and are architected to be pretty generic in nature for simplicity and flexibility. But to network engineers, they tend to look like black boxes, where the activity and outputs are clear, but you don’t have the same visibility to network policy details as on-prem infrastructure. Ultimately, this can lead to potential security breaches and data loss, or resistance to migrate to the public cloud.

Simplicity as a Trade-off for Visibility and Control

The Console Wizard for AWS Virtual Private Cloud (VPC), for example, is a very straightforward, streamlined tool for setting up a sophisticated hosted private network. It allows IT teams to design dedicated subnets with security policies, load balancers and routing protocols to front-end application workloads. But, it does not provide the visibility and control of end-to-end paths or the ability to analyze and verify traffic patterns and security controls that network and compliance teams require. Even basic tools, like traceroute, through an AWS VPC, is not available. Not to mention more stringent tests for network isolation, sophisticated access controls, NAT rules, routing behavior, or VPN policies. Trying to determine actual network and security policies from the AWS console is frequently an exercise in futility.

This contrast between on-premises networks and cloud is even more acute in hybrid cloud deployments. For application networks and traffic that span on-prem and cloud infrastructure, why do we have to lose visibility to our infrastructure at the gateway to our provider? This is where Forward Networks comes in.

Forward Networks for Hybrid Cloud

Forward Networks has pioneered the ability to verify the end-to-end behavior of networks and then compare that behavior to defined intent, security policies and compliance requirements. We can quickly verify all possible paths through a network that comply with a policy or network intent, or we can confirm the proper isolation (lack of access) between subnets and devices. We shift focus from individual box-by-box testing to analyzing paths through the network end-to-end and the policy behaviors they allow. This moves network troubleshooting from a reactive (after the fact) activity, to a proactive, error isolation and removal (before an incident) methodology for the first time.

A view of an AWS Virtual Private Cloud (VPC) network in Forward Enterprise. The focus is on an AWS route table showing available connections and configuration details.

The path-oriented focus that Forward Networks provides is only natural to now extend to hybrid cloud environments. Having the same visibility and policy verification for the cloud component of your infrastructure will greatly accelerate adoption of hybrid and public cloud deployments and simplify network operations. We are starting with AWS VPC support, which is now available in our latest Forward Enterprise release.

Amazon Virtual Private Clouds are implemented as subnets within AWS with virtual network devices such as load balancers, routing tables, security policy groups, access control lists, NAT gateways, VPN gateways and access layer switches that interface to each EC2 virtual workload. Imagine if instead of a “black box” subnet view, each of these virtual devices could be represented as an extension of your physical infrastructure on an always up-to-date topology diagram. And not only having easy access to individual device configurations and state details, but to analyze and verify the end-to-end path behaviors flowing from any on-premises device all the way through to any cloud edge switch and application workload.

Forward Enterprise search query of a hybrid cloud network including Amazon AWS subnets.

Forward Enterprise supports connectivity to AWS through VPN connections (AWS Virtual Private Gateway – VPG), direct connect through VLAN encapsulation or through public internet. Ensuring proper VPN security posture and connectivity is critical for security conscious organizations that are hesitant to migrate. And that’s just one of many security and policy checks that we can enable for the first time.

Now the Cloud Includes Industry-Leading Verification and Compliance

What kind of policy checks and behaviors are we talking about for a hybrid cloud? Forward Enterprise can verify that only a specific port from on-premises devices can reach the public cloud. Or verify that there is complete network isolation from the public cloud to any on-premises subnet or device. If you are familiar with Forward Enterprise search and verify capabilities, you know that the policy checks are almost limitless when you take into account all the IP networking attributes and parameters that can be designed into search queries.

Moving this level of visibility to individual public cloud virtual devices and subnets promises to alleviate many of the compliance concerns for public cloud adoption. A primary use case for AWS VPC visibility, in fact, is to verify the accurate implementation of business and security policies pre- and post-migration when migrating services to the cloud. Forward Enterprise can verify policy requirements are met consistently in the cloud as when completely on-premises. With no guessing, risk or roll-back.

The end result will be a dramatically new method for viewing, analyzing and controlling AWS-deployed services, consistent with the superior path-based analysis Forward Networks has already achieved with on-premises networks. IT organizations will finally be able to combine elasticity and efficiency of the public cloud with complete confidence and control.

Want to learn more? Reach out to us or watch our video demo:

Subscribe to our blog!

November 10, 2022
Why You Should Care About Vendor Hack Weeks

Hack weeks and hack-a-thons are like foosball tables; if you don’t have them, are you even a tech company? These events, once revered for innovation, are now relegated to being blasé and often perceived as little more than playtime for engineers. As someone who’s worked in tech for longer than I care to admit, I […]

Read More
October 13, 2022
How do you know a software rep is lying?

A customer posed this question to me recently; after pausing and smiling (a little too) broadly, he continued, “Their lips are moving.” I thought this would be funnier if it weren’t partly true. The software industry has over-promised and under-delivered for years, making technical executives rightfully skeptical when they hear a new promise. Unfortunately, it’s […]

Read More
September 20, 2022
When is a Digital Twin Entertaining?

When it’s ensuring that tens of thousands of visitors have the best experience possible every single day. Keeping people entertained is a 24/7 endeavor, even the smallest hiccup results in a social media firestorm. Keeping things running requires thousands of dedicated employees and a staggeringly complex network that sprawls the area of a major city […]

Read More

Sign up for our newsletter

crossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram