Most public clouds offer virtual networking features – VLANs, VPNs, and endpoint connectivity. But you’re limited to how many endpoints, networks and regions/zones you can connect. Today we’ll focus on transitive routing and how to enable it in the cloud.
AWS VPC Peering Limitations
In Amazon AWS, you can peer virtual private clouds (VPCs), with some limits. Like most networks, you cannot connect with matching or overlapping CIDR blocks, and peering VPCs does limit connection bandwidth.
Amazon recommends users create more complex set ups to work around cloud network limitations. Amazon recommends adding more Amazon EC2 VPN instances, creating dedicated transit VPCs, and more interwoven connections between VPC and regions.
Azure VLAN Network Limitations
In Microsoft Azure, they have similar concepts of Virtual Networks (VNETs). Azure networking does let you connect VNETs in any region and any type (ARM vs. ASM). VNETs are still limited to a single region. Before the updated Azure Resource Manager, Azure Service Management (ASM) users had to export their network configurations, then import back into Azure; additionally users could not automatically assign Virtual IP (VIP) to the VPN gateway.
Similarly, Microsoft Azure recommends customers add individual connections between VNETs. Without an explicit, direct point-to-point connection between each VNET is the only way to do “transitive routing.” Using Azure’s recommended “daisy chain” routing also creates potential issues if an intermediate VPN connection fails and breaks the chain, making some VNETs unreachable.
Connect more flexibly with VNS3 across cloud regions, zones, and providers with VNS3
VNS3 can help you solve network flexibility issues without compromising your connectivity.
Using the VNS3 virtual machine networking device in your VPCs, you can create a redundant, peered mesh linking your networks into one secure, logical network. VNS3 allows you to create meshed networks throughout a cloud, multiple cloud regions, or even cloud providers.
How it works: TLS VPNs and overlay networks
VNS3 is a software-only network security appliance that lets you own, configure, and manage any network. It is different from other networking products because it creates a customer-controlled network on top of underlying cloud networks. You have ultimate control over end to end IPsec encryption, encryption keys, IP addressing and network topology.
VNS3 acts as a virtual switch – providing the overlay connectivity to each of the compute hosts and switches traffic between hosts. The compute hosts are configured to talk to the VNS3 Controller as “client servers” and they see the VNS3 Controller as the next logical hop in their topology.
When you configure a cloud instance in the VNS3 topology, a secondary interface is layered over the existing native interface, and routes all overlay network traffic through the sealed overlay network.
When 2 or more VNS3 Controllers are peered, they exchange a given topology’s routing information and share client server credentials and connectivity details. Any connected client servers can connect to any of the VNS3 Controllers in the topology, and in turn any Controller will still be able to access the client(s), regardless of cloud provider, region, or underlying network.
Security: end-to-end encryption
VNS3 uses IPsec, Transport Layer Security (TLS), and Secure Sockets Layer (SSL) cryptographic protocols to secure network traffic to and from the cloud. This means all traffic is private, authenticated and encrypted. VNS3 is a vital addition to cloud security because users can verify there has not been any eavesdropping in transit.
By: Margaret Valtierra