This evening Amazon launched a new service called Virtual Private Cloud. You can read the details on the product page and the AWS blog, plus a nice backgrounder on Werner Vogel's blog. The short story is that it allows anyone to spin up a private enclave within Amazon's infrastructure. VPC users can segregate their EC2 instances from others' and get a VPN connection from their own data center to their VPC, which then looks like a part of their internal network.
In 2006, when EC2 first launched, it was for lunatics (OK, I plead guilty). In 2007 startups began to notice and hop onto the bandwagon. Stories of really cool stuff happening in EC2 started to spread. But by and large it was still a limited environment and an early adopter product. In 2008 we saw more mature companies starting to adopt the cloud and utilize it where it made sense in their operations. Also, the first enterprise customers started to show up to learn about the cloud, try things out, and voice their concerns. Now that we're well into 2009 the enterprise interest has really picked up, and Amazon's new offering comes at the right time. It's targeted at addressing a number of the practical networking and security considerations that enterprises have to deal throughout their IT infrastructure.
The best way I've found to describe a VPC is a data center on a stick: you launch your servers into a balloon within Amazon's infrastructure and you get a VPN link to tie them all back into your data center. Let's take this step by step and see how it works.
- In your existing EC2 account you create a VPC that's the container for all your instances.
- In that VPC you define one or multiple subnets (e.g. 10.34.1.0/24) chosen so they integrate into your enterprise-wide internal addressing structure.
- You now set up your IPsec VPN device (preferably a major-brand router) and connect to a VPN endpoint you create within your VPC.
- Finally, you launch your first VPC instance almost the same way as you would launch a public instance, the only difference being that you specify to which of your VPC subnets it should be attached.
- You now have a server in your VPN that, with a small amount of router config, is indistinguishable from any of your other servers in your data center, except that you didn't have to buy it, rack it, or hook it up!
So what is a VPC really? It really is what it says: a virtual private cloud. One key ingredient here is that a VPC is a logical concept, not a physical one, meaning that the boundary around your instances in your VPC is at the network level - there is no separate room with your servers! What that means is that a VPC is truly a cloud with all the attributes we expect: virtually infinite, on-demand resource availability, pay-per-use pricing, etc. You're not forking out dollars to have someone build you a finite cloud-like data center that takes months to build and is charged up-front. I'm sure Amazon got requests to build private physical clouds in some large enterprise data centers and I'm glad they opted for the virtual cloud variant, the one that really is a cloud.
Instances in the VPC are separated from non-VPC instances at a deeper network level than instances in different security groups or belonging to different users. As is typical, Amazon doesn't say anything of substance about the nature of this isolation. Let's see how soon that will have to change to actually attract enterprises. Also, instances in the VPC can seamlessly integrate into a company's internal network routing. This is significant because it means that tools used to inventory, secure, audit, manage, and access all servers in the IT infrastructure can now be brought to bear on instances in the cloud as well.
What is really nice about the VPC is that everything works (almost) as usual. Launching instances is only slightly different from before in that one additional parameter specifies the subnet to launch the instance into. Most everything else is unchanged. So all the goodness of RightScale will continue to work. Well, actually, there is one fly in the ointment in this initial release that the docs are quiet about, which is that instances in a VPC have no external network connectivity whatsoever. All traffic into and out of the VPC has to go through the VPN, at the far end of which it may be routed to the Internet. This includes traffic to other AWS services, such as S3, SQS, SimpleDB, and indeed any general Internet traffic. Sounds like the number one priority limitation to fix from Amazon's point of view to me.
Last but not least, the killer feature in my opinion is the price: it's virtually free. The only extra cost of having a VPC over using standard EC2 instances is the VPN charge, which is five cents an hour, a charge that doesn't even register with most folks who need a VPC (the charge is per VPN, so in principle it can add up a little if you have 20 datacenters each with a VPN to your VPC, but it's still peanuts).
Mark your history books: 2009, the year that the cloud became enterprise-ready. I believe this is the most compelling feature/service AWS could have added at this stage of the cloud market from an enterprise point of view. While we're busy finishing the support for VPCs in the RightScale enterprise edition, don't hesitate to give us a call to find out more about our early experience program for RightScale VPC management.