Creating your virtual Data Center


One of my first projects as a system administrator at Ariadnex was for the Government of Extremadura where I managed virtual machines, datastores and virtual networks into virtual data centers. Therefore, I learnt a lot about virtual infrastructures under XenServer and VMware. However, today, virtual data centers are moving from on-premise to the cloud, either Public Cloud, Private Cloud or Hybrid Cloud, where you can even pay-as-you-go (PAYG). For instance, we can deploy our data center into the major cloud providers such as Microsoft Azure, Google Cloud Platform or Amazon Cloud “easily” and pay as we use.

Lately, I’m reading, learning and working with AWS Cloud where I’ve created a virtual data center with firewalls, Elastic Load Balancer, WAF, EC2 instances, etc and there are a lot of things to take into account to deploy a virtual data center into Amazon Cloud. For instance, VLAN and ARP protocols don’t exist into AWS Cloud. Instead, VPC (Virtual Private Cloud) is used to isolate traffic, where we can create subnets into Availability Zones. What’s more, /24 subnets have 251 addresses available, instead of 254 addresses, because AWS needs three IP addresses for internal routing.

Choosing IP address ranges for your subnets

Routing is another mess into AWS, if we are used to traditional routing. VPC comes with a default route table but we can assign different route tables to different subnets, which contain rules for which packets go where. In addition, there are Internet Gateways where packets are sent if we want them to reach the Internet. On the other hand, we can deploy NAT instances in a public VPC subnet to enable outbound Internet traffic from instances in a private subnet. By default, private VPC subnets are routable internally while public subnets reach Internet through an Internet Gateway.

NAT access to Internet

Security is important too when we are creating a virtual data center. There are two kind of firewalls into AWS. The deprecated one, which is a stateless firewall, where we can create Network ACLs to allow or deny ports and IP addresses. On the other hand, the traditional one, which is a stateful firewall, where we can create Security Groups to allow or deny traffic to instances. For example, the Security Group “MyWebServers” to allow all traffic from the Internet, and the Security Group “MyBackends” to allow only traffic from “MyWebServers”. Moreover, dedicated cloud firewall AMI can be deployed from AWS Marketplace like FortiGate, Palo Alto and CheckPoint which offer many additional and important security functions, like IDS/IPS.

Security Groups = Stateful Firewall

Each organization will have their own requirements thus we’ll have to design the virtual data center accordingly. For instance, if we have several VPCs and we want to exchange information between them, we should configure VPC peering, or if we have to connect our on-premise data center to AWS, we can use Virtual Private Networks (VPN), AWS Direct Connect or both. Router 53 is another AWS Service interesting for DNS resolution, and VPC Flow Logs are useful for visibility and troubleshooting. As you can see, there are many infrastructure services into AWS and we’ll have to choose the right services to deploy a reliable and cost-effective virtual data center.

AWS Direct Connect
 
I think, this is just the beginning of the real cloud computing, where you deploy services around the world and you pay-as-you-go. They, I mean Amazon, Google and Microsoft, are changing the paradigm of systems, networks and storage, and we should pay attention of this amazing world.

What do you think about the future of Cloud Computing?

Commentaires