November 29, 2018

Why should data centers have all the fun? Network verification now available for AWS

by Charlie Elliott

What’s been the biggest change to networking in the past decade? While there have been tremendous improvements in automation, capacity and mobility, nothing has had a greater impact on IT organizations than cloud migration. We all know the business drivers behind this evolution, from cost efficiency and resource elasticity, to backup and disaster recovery. But there are still concerns and hurdles in migrating a vast majority of mission critical workloads and traffic to the cloud.

The biggest challenges have to do with loss of control and visibility; of data, network policies and security. Cloud platforms are easy to spin up and are architected to be pretty generic in nature for simplicity and flexibility. But to network engineers, they tend to look like black boxes, where the activity and outputs are clear, but you don’t have the same visibility to network policy details as on-prem infrastructure. Ultimately, this can lead to potential security breaches and data loss, or resistance to migrate to the public cloud.

Simplicity as a Trade-off for Visibility and Control

The Console Wizard for AWS Virtual Private Cloud (VPC), for example, is a very straightforward, streamlined tool for setting up a sophisticated hosted private network. It allows IT teams to design dedicated subnets with security policies, load balancers and routing protocols to front-end application workloads. But, it does not provide the visibility and control of end-to-end paths or the ability to analyze and verify traffic patterns and security controls that network and compliance teams require. Even basic tools, like traceroute, through an AWS VPC, is not available. Not to mention more stringent tests for network isolation, sophisticated access controls, NAT rules, routing behavior, or VPN policies. Trying to determine actual network and security policies from the AWS console is frequently an exercise in futility.

This contrast between on-premises networks and cloud is even more acute in hybrid cloud deployments. For application networks and traffic that span on-prem and cloud infrastructure, why do we have to lose visibility to our infrastructure at the gateway to our provider? This is where Forward Networks comes in.

Forward Networks for Hybrid Cloud

Forward Networks has pioneered the ability to verify the end-to-end behavior of networks and then compare that behavior to defined intent, security policies and compliance requirements. We can quickly verify all possible paths through a network that comply with a policy or network intent, or we can confirm the proper isolation (lack of access) between subnets and devices. We shift focus from individual box-by-box testing to analyzing paths through the network end-to-end and the policy behaviors they allow. This moves network troubleshooting from a reactive (after the fact) activity, to a proactive, error isolation and removal (before an incident) methodology for the first time.

A view of an AWS Virtual Private Cloud (VPC) network in Forward Enterprise. The focus is on an AWS route table showing available connections and configuration details.

The path-oriented focus that Forward Networks provides is only natural to now extend to hybrid cloud environments. Having the same visibility and policy verification for the cloud component of your infrastructure will greatly accelerate adoption of hybrid and public cloud deployments and simplify network operations. We are starting with AWS VPC support, which is now available in our latest Forward Enterprise release.

Amazon Virtual Private Clouds are implemented as subnets within AWS with virtual network devices such as load balancers, routing tables, security policy groups, access control lists, NAT gateways, VPN gateways and access layer switches that interface to each EC2 virtual workload. Imagine if instead of a “black box” subnet view, each of these virtual devices could be represented as an extension of your physical infrastructure on an always up-to-date topology diagram. And not only having easy access to individual device configurations and state details, but to analyze and verify the end-to-end path behaviors flowing from any on-premises device all the way through to any cloud edge switch and application workload.

Forward Enterprise search query of a hybrid cloud network including Amazon AWS subnets.

Forward Enterprise supports connectivity to AWS through VPN connections (AWS Virtual Private Gateway – VPG), direct connect through VLAN encapsulation or through public internet. Ensuring proper VPN security posture and connectivity is critical for security conscious organizations that are hesitant to migrate. And that’s just one of many security and policy checks that we can enable for the first time.

Now the Cloud Includes Industry-Leading Verification and Compliance

What kind of policy checks and behaviors are we talking about for a hybrid cloud? Forward Enterprise can verify that only a specific port from on-premises devices can reach the public cloud. Or verify that there is complete network isolation from the public cloud to any on-premises subnet or device. If you are familiar with Forward Enterprise search and verify capabilities, you know that the policy checks are almost limitless when you take into account all the IP networking attributes and parameters that can be designed into search queries.

Moving this level of visibility to individual public cloud virtual devices and subnets promises to alleviate many of the compliance concerns for public cloud adoption. A primary use case for AWS VPC visibility, in fact, is to verify the accurate implementation of business and security policies pre- and post-migration when migrating services to the cloud. Forward Enterprise can verify policy requirements are met consistently in the cloud as when completely on-premises. With no guessing, risk or roll-back.

The end result will be a dramatically new method for viewing, analyzing and controlling AWS-deployed services, consistent with the superior path-based analysis Forward Networks has already achieved with on-premises networks. IT organizations will finally be able to combine elasticity and efficiency of the public cloud with complete confidence and control.

Want to learn more? Reach out to us or watch our video demo:

Subscribe to our blog!

RELATED FORWARD CONTENT 
February 6, 2023
Visit Stand E08 at Cisco Live EMEA

Let the Games Begin! Cisco Live Amsterdam has officially started, and we’re delighted to be here meeting with the best and brightest of the European networking community. Stop by to say hello, and play Forward Quest to learn how easy it is to put your people back in charge of the network and register to […]

Read More
January 25, 2023
MSD Partners Leads Forward Networks $50M Series D Funding

Following 139% year-over-year growth, Forward Networks closed $50M in series D funding. The round was led by MSD Partners with support from new investors, Section 32, and Omega Venture Partners. Demonstrating ongoing support, existing investors Goldman Sachs Asset Management (Goldman Sachs), Threshold Ventures, A. Capital, and Andreessen Horowitz participated in the round. Since its last […]

Read More
January 18, 2023
Forward Networks to Host Cloud Field Day 16

I don’t know which is more exciting: the fact that there’s no rain forecast for the next two weeks or that we’re hosting Cloud Field Day 16 at the Forward Networks headquarters in Santa Clara, CA. It’s a nice dose of synchronicity that we get a break in the rain to dry out and clean […]

Read More
crossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram