Cloud bridges, gateways and brokers for external cloud deployment
- 30 October, 2012 17:52
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Originally used as an inexpensive alternative to quickly deploy services outside the realm of IT, cloud computing is quickly becoming a de facto standard for new application resources. The challenge is how to manage those resources transparently. The cloud should be an extension of the internal data center, and cloud bridges, gateways and brokers are all components that IT should focus on for connecting to their external cloud deployment.
But there are challenges to integrating bridges, gateways and brokers to any production cloud deployment. First, the market is still shaking out what each of these product categories do and what they're called. Second is where they fit in the infrastructure, and then third and possibly most important, who owns these technologies and who ultimately is responsible for their success.
If addressed early and architected correctly, however, cloud bridges, gateways and brokers can add value to the cloud.
* Cloud bridges: Cloud bridges are a critical means of interconnecting clouds with the data center. Cloud bridges take their name from traditional networking solutions that "bridge" disparate networks, enabling transparent connectivity between endpoints despite being separated by multiple networks, switches or even physical location. Intra-data center bridging is enabled via network elements such as switches while intra-environment bridging is accomplished via routing, often over a secured tunnel such as IPsec or SSL.
Cloud bridges enable similar connectivity between the data center and a cloud environment, extending transparent network access to cloud-deployed resources by normalizing network access between the two environments. Cloud bridges form the basis for higher-order integration between clouds and are a critical component for operations to consistently enable control over and provide access to remote resources.
* Cloud brokers: Cloud brokers -- in the architectural realm -- are solutions that enable integration of processes at the application layer with infrastructure controlled by IT on-premise. Cloud brokers enable IT to leverage systems within the data center for purposes of identity and access management as well as deployment of resources in off-premise, cloud computing environments.
Cloud brokers are architectural and based on the existence of data center-hosted infrastructure capable of intermediating process-flow across disparate environments and for all types of clouds, e.g., IaaS, PaaS and SaaS. For example, a cloud identity broker would coordinate with a SaaS cloud environment to enable a login process that is brokered through some system over which IT has complete control.
Such a system enables credential verification and authorization to the remote resource, in this case the SaaS application, and shares with the SaaS some means of asserting a user's valid, authorized access to the application. Early implementations leverage SAML (Security Assertion Markup Language) and application tokens have also been used to accomplish the same functionality when integrating custom applications deployed in IaaS environments.
The use of cloud brokers to mediate identity and access control functions resolves a serious question raised by the separate, physical deployment of applications, mainly: How does the application take advantage of existing identity stores? The alternative to a cloud broker to perform this integration is the replication of corporate identity stores into the cloud environments in which the applications are deployed, when possible.
Obviously this is not an option for managing SaaS applications, and yet control over authentication and authorization is desired for all corporate applications. Cloud brokers enable that control without inviting potential security risks by replicating identity stores or accepting as status quo the identity management systems used by SaaS applications.
Other forms of cloud brokers take on the responsibility of assisting in the deployment of application resources during scalability events, such as cloud bursting. The broker is deployed on-premise, in the data center, and is responsible for matching the performance, security and cost requirements of an application with the appropriate environment. The requirement to properly match requirements with environments is critical to the successful implementation of a more self-service style IT, as business and development users are not always aware of the implications of regulations and compliance requirements on a resource's location.
By integrating a cloud broker into the provisioning process, organizations enable self-service but do so without compromising on security or performance requirements so critical to both business and operational success.
* Cloud gateways: Cloud gateways are the most complex of the cloud integration solutions. These solutions often rely on cloud bridging functionality and provide many of the collaborative features associated with cloud brokers as well as integrating more seamlessly with IaaS environments through API mediation.
Cloud gateways, like most network gateway solutions of the past, act as a transition point between two environments. In the case of cloud this is generally the data center and an off-premise cloud computing environment. The gateway normalizes deployment of and control over cloud-deployed resources, leveraging the appropriate provider API or framework to do so. In this way, policies governing access to and provisioning of resources can be applied at a singular point of control in the data center, i.e., at the cloud gateway, ensuring the consistency of operational policy required to meet performance, security and availability demands.
In a hybrid cloud model, for example, with no network or direct resource integration (via a cloud bridge), a cloud gateway would enable elasticity (cloud bursting) by provisioning and de-provisioning resources through the appropriate, integrated cloud API. The cloud gateway provides more than simple control over compute resources, however, and provisioning policies might be used to ensure the appropriate network and storage resources are also appropriately adjusting according to demand, using the same integrated cloud API.
The cloud gateway further integrates into the data center by providing its own API through which data center orchestration systems and custom self-service IT applications can manage resources and applications deployed in remote cloud environments.
The future is undeniably hybrid, whether between data center and cloud or between public clouds in a federated model of integration. But even when all applications and services might be hosted in a hyper-hybrid model, there still exists the need to access and control those resources from within the data center. A completely decentralized operational model in which end users have direct control over resources, after all, is incompatible with compliance and security.
Thus, some form of infrastructure will be required on-premise to manage and control remote applications, resources and services. That infrastructure will require integration, which will be achieved via cloud bridges, brokers and gateways.