RightScale Blog

Cloud Management Blog
RightScale 2014 State of the Cloud Report
Cloud Management Blog

Amazon Launches Virtual Private Clouds

This evening Amazon launched a new service called Virtual Private Cloud. You can read the details on the product page and the AWS blog, plus a nice backgrounder on Werner Vogel's blog. The short story is that it allows anyone to spin up a private enclave within Amazon's infrastructure. VPC users can segregate their EC2 instances from others' and get a VPN connection from their own data center to their VPC, which then looks like a part of their internal network.  

In 2006, when EC2 first launched, it was for lunatics (OK, I plead guilty). In 2007 startups began to notice and hop onto the bandwagon. Stories of really cool stuff happening in EC2 started to spread. But by and large it was still a limited environment and an early adopter product. In 2008 we saw more mature companies starting to adopt the cloud and utilize it where it made sense in their operations. Also, the first enterprise customers started to show up to learn about the cloud, try things out, and voice their concerns. Now that we're well into 2009 the enterprise interest has really picked up, and Amazon's new offering comes at the right time. It's targeted at addressing a number of the practical networking and security considerations that enterprises have to deal throughout their IT infrastructure.

The best way I've found to describe a VPC is a data center on a stick: you launch your servers into a balloon within Amazon's infrastructure and you get a VPN link to tie them all back into your data center. Let's take this step by step and see how it works.

  • In your existing EC2 account you create a VPC that's the container for all your instances.
  • In that VPC you define one or multiple subnets (e.g. 10.34.1.0/24) chosen so they integrate into your enterprise-wide internal addressing structure.
  • You now set up your IPsec VPN device (preferably a major-brand router) and connect to a VPN endpoint you create within your VPC.
  • Finally, you launch your first VPC instance almost the same way as you would launch a public instance, the only difference being that you specify to which of your VPC subnets it should be attached.
  • You now have a server in your VPN that, with a small amount of router config, is indistinguishable from any of your other servers in your data center, except that you didn't have to buy it, rack it, or hook it up!

So what is a VPC really? It really is what it says: a virtual private cloud. One key ingredient here is that a VPC is a logical concept, not a physical one, meaning that the boundary around your instances in your VPC is at the network level - there is no separate room with your servers! What that means is that a VPC is truly a cloud with all the attributes we expect: virtually infinite, on-demand resource availability, pay-per-use pricing, etc. You're not forking out dollars to have someone build you a finite cloud-like data center that takes months to build and is charged up-front. I'm sure Amazon got requests to build private physical clouds in some large enterprise data centers and I'm glad they opted for the virtual cloud variant, the one that really is a cloud.

Instances in the VPC are separated from non-VPC instances at a deeper network level than instances in different security groups or belonging to different users. As is typical, Amazon doesn't say anything of substance about the nature of this isolation. Let's see how soon that will have to change to actually attract enterprises. Also, instances in the VPC can seamlessly integrate into a company's internal network routing. This is significant because it means that tools used to inventory, secure, audit, manage, and access all servers in the IT infrastructure can now be brought to bear on instances in the cloud as well.

What is really nice about the VPC is that everything works (almost) as usual. Launching instances is only slightly different from before in that one additional parameter specifies the subnet to launch the instance into. Most everything else is unchanged. So all the goodness of RightScale will continue to work. Well, actually, there is one fly in the ointment in this initial release that the docs are quiet about, which is that instances in a VPC have no external network connectivity whatsoever. All traffic into and out of the VPC has to go through the VPN, at the far end of which it may be routed to the Internet. This includes traffic to other AWS services, such as S3, SQS, SimpleDB, and indeed any general Internet traffic. Sounds like the number one priority limitation to fix from Amazon's point of view to me.

Last but not least, the killer feature in my opinion is the price: it's virtually free. The only extra cost of having a VPC over using standard EC2 instances is the VPN charge, which is five cents an hour, a charge that doesn't even register with most folks who need a VPC (the charge is per VPN, so in principle it can add up a little if you have 20 datacenters each with a VPN to your VPC, but it's still peanuts).

Mark your history books: 2009, the year that the cloud became enterprise-ready. I believe this is the most compelling feature/service AWS could have added at this stage of the cloud market from an enterprise point of view.  While we're busy finishing the support for VPCs in the RightScale enterprise edition, don't hesitate to give us a call to find out more about our early experience program for RightScale VPC management.

Comments

Daniel, good question. I haven't heard anything in this respect and I would assume 'no', but I'm sure a forum post can resolve that.
[...] Amazon launches virtual private clouds « RightScale Blog"Something that initially puzzled me is what the benefits of a VPC are when all the marketing fluff dissipates. Here is what I’ve learned. First, instances in the VPC are separated from non-VPC instances at a deeper network level than instances in different security groups or belonging to different users. As is typical, Amazon doesn’t say anything of substance about the nature of this isolation. Let’s see how soon that will have to change to actually attract enterprises… Second, instances in the VPC can seamlessly integrate into a company’s internal network routing. This is significant because it means that tools used to inventory, secure, audit, manage, and access all servers in the IT infrastructure can now be brought to bear on instances in the cloud as well." [...]
Do you know if EC2 instances running as part of a VPC support multicast traffic?
Carson, due to NDA issues I can't say more about the network isolation, but the truth is that I actually don't have much more information. The isolation is better in that arbitrary regular instances can address each other and routes to each other exist and isolation is really governed by the security groups, which is a layer 3 firewall type of thing. Instances in different VPCs can't address each other and there are no routes. Your statement that this isn't going to be enough is both true and false. You have to remember that it's a spectrum. With the VPC a whole lot more become eligible to move to the cloud, so to speak. Will everything move to the cloud? No. Read Werner's blog, he doesn't expect 100% conversion either (well, I'm sure he's targeting it down the road). One thing we don't know is what he's saying about the engineering and processes being applied to their infrastructure when he is talking to "a large financial services company in the Northeast". In our public musings we may be underestimating the percentage of the workload that can be moved because we don't have the full picture.
Can you say more about how or what you learned about the network separation? In technical terms is it something like them creating a VLAN for you? The phrase you use is a little confusing, I believe you are talking about separation at just the network level right? I don't think this is going to be enough to move people who currently have a true security concern into the cloud. Ultimately it may be impossible without physical machine separation. There will always be questions about leaking information between virtual machine instances through hypervisor bugs. It seems reasonable that for more cost this could be the next step for Amazon.
[...] Crandell, CEO of Rightscale, which provides cloud management software, tried to explain a bit more what Amazon is trying to do with the Virtual Private Cloud, which, by the way, costs an extra 5 [...]
[...] Amazon launches virtual private clouds « RightScale Blog - This evening Amazon launched a new service called “VPC”, which stands for Virtual Private Cloud, read the details on the product page and the AWS blog, plus a nice backgrounder on Werner Vogel’s blog. The short story is that it allows anyone to spin up a private enclave within Amazon’s infrastructure. This allows VPC users to segregate their EC2 instances from “the masses” and get a VPN connection from their own data center to their VPC, which then looks like a part of their internal network. Exciting stuff and we’ll have support for VPCs in RightScale real soon. [...]
[...] Ein VPC über das Amazon Interface anlegen. (Rightscale verspricht baldige Unterstützung) [...]
[...] For more details on Amazon Virtual Private Cloud, visit the Amazon VPC detail page and the posting on the AWS developer weblog. For how our partners view Amazon VPC see for example the posting at RightScale [...]

Post a comment