Changing the delivery of IT

Tony Bishop

Subscribe to Tony Bishop: eMailAlertsEmail Alerts
Get Tony Bishop: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Blog Feed Post

Using CloudSwitch to Create a Public IP Gateway to the Cloud

By Pavan Pant

We recently talked about the latest release of CloudSwitch enterprise and since that blog post went live we have garnered a lot of interest in our public IP gateway to the cloud - the ability to provide secure access from the public Internet to servers in the cloud.  There are many cases in which customers want to deploy Internet facing applications to the cloud to help reduce bandwidth constraints within their data centers and improve performance by moving compute resources closer to their customers. In order to accomplish this, customers needed a firewall in the cloud to ensure secure Internet access to their servers in the cloud which is exactly what CloudSwitch delivered.

As Director of Product Management at CloudSwitch I have had the pleasure of speaking to our customers to understand their use cases and have found that they are talking about things beyond just the migration of servers to the cloud.  Customers have started thinking about adding servers to the cloud in a scalable fashion to handle surges in traffic and have frequently requested public connectivity to their servers in the cloud via a firewall.  This shows a broadening of the use cases and growing adoption of the cloud.  Given that our most popular feature so far is related to our public IP feature I thought it would be useful to dive into some use cases and how our firewall in the cloud can be configured to meet those use cases.  

Use Cases

Use Case 1: Hosting Infrastructure in the Cloud

One of our customers was seeing heavy traffic spikes during major holidays and marketing campaigns. Rather than provision new equipment or rent more space in its colo – both expensive options – this company now leverages the cloud and CloudSwitch to handle peak overflow traffic easily, giving website visitors secure, public connectivity to cloud resources through public IP addresses, while managing these same resources through CloudSwitch’s secure data center connections.  With the public IP gateway in the cloud our customers can now securely host a multi-tier application in the cloud.

Other things we have heard about include the ability to use the  cloud for peak capacity for surges in traffic when the market opens and closes. The idea is to  use a firewall for public connectivity to the cloud and a load balancer to have overflow traffic automatically routed to the appropriate server in the cloud.

Consider a scenario where you have two front-end web servers in the cloud, Sharepoint 2007 server, a SugarCRM server, and database servers running SQL 2008. These servers have been migrated to the cloud using CloudSwitch which means that they have the same IP addresses as they did in the data center.  This diagram shows how CloudSwitch can deploy a colo-type footprint in the cloud by host a multi-tiered application in a secure fashion with public connectivity.

Public_Connectivity_to_the_Cloud

Once you have your servers in the cloud, the next step in allowing public connectivity to the cloud is to move our SmoothWall firewall (in the “Network Library” folder) to the cloud. Our network library only has one firewall at the moment but we intend to add many more network related infrastructure components in the near future.

You will notice that the new public IP access feature has one interface (red interface) that is assigned a public address while another interface (green interface) can be placed on the network LAN for your servers in the cloud.  Once you have moved this firewall to the cloud and started it there it connects to the Internet through the red interface and acquires a public IP address (eg: Amazon Elastic IP). It then connects to your data center through the green interface on the same subnet as the CSA. The public IP address is reserved in Amazon for as long as this appliance is in CloudSwitch – the IP address is released when you delete the appliance in CloudSwitch. This means that you can power off the appliance and still keep the IP address. All this can be configured by opening a console window through CloudSwitch:

CloudSwitch Console

Once you have the firewall in the cloud configured, you can create firewall rules in SmoothWall to determine what type of traffic from the public Internet should be sent to your servers in the cloud.

Smooth_Wall_Express_1

In addition to this, you can also configure the firewall to send traffic to specific subnets or exclude traffic from going to specific servers on a subnet. Once these firewall rules have been configured you will be leveraging a cloud provider’s bandwidth for public connectivity and have the flexibility to increase your footprint in the cloud instead of being limited by a traditional data center footprint.

Use Case 2: (Remote office scenario)

Another use case that we hear about is related to allowing layer 3 access to servers in the cloud for remote office workers. More specifically, the request is to create a secure tunnel to access servers in the cloud without going through the data center. 

This is also a scenario that is possible via CloudSwitch’s firewall in the cloud. It is possible for SmoothWall to inter-operate with any VPN product that supports IPSec and standard encryption techniques such as 3DES. As a result of this, customers can now have their employees accessing their servers in the cloud from a remote office over a secure layer 3 tunnel.

Remote_Office_Connectivity_to_the_Cloud

Full Feature Set for Firewall in the Cloud

Unlike the simplistic firewalls provided by cloud providers our SmoothWall firewall has some useful features that CloudSwitch allows customers to leverage in the cloud.  It is probably worthwhile to go through some of these:

1. Timed Access

CloudSwitch’s firewall in the cloud has the ability to create firewall rules that allow or disallow access at certain times of the day, for a specified group of servers in the cloud. The timed access controls are only performed on the listed machines. Customers can enter one IP address or network with netmasks per line in the supplied text box. e.g. 192.168.168.0/24 will block/allow the entire range of 192.168.168.0 through 192.168.168.255; alternatively it can be entered 192.168.168.0/255.255.255.0

Smooth_Wall_Express_2

2. QoS

SmoothWall is able to decide if some of the network traffic is more urgent than others. Imagine your network connection is like a multilane freeway or motorway and allocate specific bandwidth to specific servers.

3. Logging

Logging for CloudSwitch’s firewall in the cloud includes reports of who was trying to do what. Much like any standard log viewer, customers can select the date they are interested in viewing using the drop-down boxes at the top of the page. The body of the page displaying the log files is made up of a table of packets that were dropped by the firewall. Included here are the Source and Destination IP addresses and ports, as well as the protocol involved.

Smooth_Wall_Express_4

4. IP Block Configuration

This page enables the administrator to selectively block external IP addresses from accessing the SmoothWall and any machines behind it.

Smooth_Wall_Express_5

5. Dynamic DNS

If our customers have a connection with dynamic IP, the dynamic DNS section of SmoothWall allows you to use dynamic DNS service provided by dyndns.org, no-ip.com, hn.org, dhs.org and/or dyns.cx. These services allow people without a static IP address to have a subdomain name pointing to their computer, allowing them to run services like a web server, VNC, etc.

The first step for using dynamic DNS with SmoothWall is, of course, to subscribe to this free service with one of the supported providers. Once this is done, you just have to fill in the following configuration information on SmoothWall's dynamic DNS configuration page.

Smooth_Wall_Express_6

While all these capabilities are great it does beg the question of why customers would not just use firewalls provided by Amazon or Terremark?  As mentioned earlier, cloud providers typically only have firewalls with simplistic rule sets. Customers do not need to be constrained by a cloud provider’s firewall anymore –  with CloudSwitch they now have the ability to define a rich set of firewall rules, services and policies that controls public internet access to their servers in the cloud.   

I hope that the use cases and feature set outlined in this blog post helps customers grasp the details of what it takes to provide secure, public connectivity to resources in the cloud.

We recognize that security is of paramount importance in the cloud especially when it comes to allowing users to access servers through the public internet. Our goal at CloudSwitch has always been to provide customers with a secure, simple way to leverage the cloud. Stay tuned for more exciting new enhancements as we continue to make it easier for customers to take advantage of the cloud.

Read the original blog entry...

More Stories By Ellen Rubin

Ellen Rubin is the CEO and co-founder of ClearSky Data, an enterprise storage company that recently raised $27 million in a Series B investment round. She is an experienced entrepreneur with a record in leading strategy, market positioning and go-to- market efforts for fast-growing companies. Most recently, she was co-founder of CloudSwitch, a cloud enablement software company, acquired by Verizon in 2011. Prior to founding CloudSwitch, Ellen was the vice president of marketing at Netezza, where as a member of the early management team, she helped grow the company to more than $130 million in revenues and a successful IPO in 2007. Ellen holds an MBA from Harvard Business School and an undergraduate degree magna cum laude from Harvard University.