November 29, 2018

Why should data centers have all the fun? Network verification now available for AWS

by Fabrizio Maccioni

What’s been the biggest change to networking in the past decade? While there have been tremendous improvements in automation, capacity and mobility, nothing has had a greater impact on IT organizations than cloud migration. We all know the business drivers behind this evolution, from cost efficiency and resource elasticity, to backup and disaster recovery. But there are still concerns and hurdles in migrating a vast majority of mission critical workloads and traffic to the cloud.

The biggest challenges have to do with loss of control and visibility; of data, network policies and security. Cloud platforms are easy to spin up and are architected to be pretty generic in nature for simplicity and flexibility. But to network engineers, they tend to look like black boxes, where the activity and outputs are clear, but you don’t have the same visibility to network policy details as on-prem infrastructure. Ultimately, this can lead to potential security breaches and data loss, or resistance to migrate to the public cloud.

Simplicity as a Trade-off for Visibility and Control

The Console Wizard for AWS Virtual Private Cloud (VPC), for example, is a very straightforward, streamlined tool for setting up a sophisticated hosted private network. It allows IT teams to design dedicated subnets with security policies, load balancers and routing protocols to front-end application workloads. But, it does not provide the visibility and control of end-to-end paths or the ability to analyze and verify traffic patterns and security controls that network and compliance teams require. Even basic tools, like traceroute, through an AWS VPC, is not available. Not to mention more stringent tests for network isolation, sophisticated access controls, NAT rules, routing behavior, or VPN policies. Trying to determine actual network and security policies from the AWS console is frequently an exercise in futility.

This contrast between on-premises networks and cloud is even more acute in hybrid cloud deployments. For application networks and traffic that span on-prem and cloud infrastructure, why do we have to lose visibility to our infrastructure at the gateway to our provider? This is where Forward Networks comes in.

Forward Networks for Hybrid Cloud

Forward Networks has pioneered the ability to verify the end-to-end behavior of networks and then compare that behavior to defined intent, security policies and compliance requirements. We can quickly verify all possible paths through a network that comply with a policy or network intent, or we can confirm the proper isolation (lack of access) between subnets and devices. We shift focus from individual box-by-box testing to analyzing paths through the network end-to-end and the policy behaviors they allow. This moves network troubleshooting from a reactive (after the fact) activity, to a proactive, error isolation and removal (before an incident) methodology for the first time.

The path-oriented focus that Forward Networks provides is only natural to now extend to hybrid cloud environments. Having the same visibility and policy verification for the cloud component of your infrastructure will greatly accelerate adoption of hybrid and public cloud deployments and simplify network operations. We are starting with AWS VPC support, which is now available in our latest Forward Enterprise release.

Amazon Virtual Private Clouds are implemented as subnets within AWS with virtual network devices such as load balancers, routing tables, security policy groups, access control lists, NAT gateways, VPN gateways and access layer switches that interface to each EC2 virtual workload. Imagine if instead of a “black box” subnet view, each of these virtual devices could be represented as an extension of your physical infrastructure on an always up-to-date topology diagram. And not only having easy access to individual device configurations and state details, but to analyze and verify the end-to-end path behaviors flowing from any on-premises device all the way through to any cloud edge switch and application workload.

Forward Enterprise supports connectivity to AWS through VPN connections (AWS Virtual Private Gateway – VPG), direct connect through VLAN encapsulation or through public internet. Ensuring proper VPN security posture and connectivity is critical for security conscious organizations that are hesitant to migrate. And that’s just one of many security and policy checks that we can enable for the first time.

Now the Cloud Includes Industry-Leading Verification and Compliance

What kind of policy checks and behaviors are we talking about for a hybrid cloud? Forward Enterprise can verify that only a specific port from on-premises devices can reach the public cloud. Or verify that there is complete network isolation from the public cloud to any on-premises subnet or device. If you are familiar with Forward Enterprise search and verify capabilities, you know that the policy checks are almost limitless when you take into account all the IP networking attributes and parameters that can be designed into search queries.

Moving this level of visibility to individual public cloud virtual devices and subnets promises to alleviate many of the compliance concerns for public cloud adoption. A primary use case for AWS VPC visibility, in fact, is to verify the accurate implementation of business and security policies pre- and post-migration when migrating services to the cloud. Forward Enterprise can verify policy requirements are met consistently in the cloud as when completely on-premises. With no guessing, risk or roll-back.

The end result will be a dramatically new method for viewing, analyzing and controlling AWS-deployed services, consistent with the superior path-based analysis Forward Networks has already achieved with on-premises networks. IT organizations will finally be able to combine elasticity and efficiency of the public cloud with complete confidence and control.

Want to learn more? Reach out to us or watch our video demo:

Subscribe to our blog!

September 13, 2023
A Financial Services Company Saved “7 Figures” By Improving Network Inventory Management

Everyone knows inventory management is important – but so are the 100+ other things we need to do, and let’s face it, the inventory is not on fire. Given the benefits one customer experienced, maybe it should be.   On September 14, at 2:00pm Eastern time, we’re hosting a webinar, featuring special guests, Michael Wynston, Director of Network Architecture and […]

Read More
September 7, 2023
What’s worse than a toothache?

For me, I’d have to say it’s sitting through a high-pressure demo with a sales guy who needs to close business. Given the choice, I’ll take the dentist office visit anytime, at least they give you meds! We realize that sales demos aren’t always pleasant. And while we strive to create a comfortable environment for […]

Read More
August 23, 2023
How do you Monitor and Manage a Network Without Borders?

There are only two options for managing a global multi-cloud network: either by using a combination of inference, hope, and intuition or with mathematical certainty. When conducting 5 million financial transactions daily, it’s essential to operate with certainty, regardless of your network’s size or geographical distribution. Auditors don’t accept inferences; they demand certainty when determining […]

Read More
crossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram