Almost all companies use more than one cloud service provider (CSP), which means that at some point, you’ll need to choose the best way to connect multi-cloud environments together for your use case. Some of the most common reasons for interconnecting multi-cloud include:
- Data migrations
- Disaster recovery
- Data sovereignty
- Application development and testing
Common ways to connect multi-cloud to enable data transfers between virtual private clouds (VPCs) include:
- IPsec VPN over the public internet
- Managed VPN
- Partner interconnect
- Dedicated cloud connection
- Cloud Router
In this blog, we’ll provide the pros and cons of each method to connect multi-cloud along with reference diagrams to help you choose the best one for your needs.
IPsec VPN over the public internet
By connecting VPCs with IPsec VPN tunnels over the public internet, data passes back and forth from one cloud to another via public IP addresses.
Here’s a diagram of a VPN connecting AWS and Google Cloud:
Pros
VPNs are easy to implement: Cloud providers allow you to create a VPN connection from their console. All you have to do is create a route for ingress traffic, configure your VM to send and receive traffic, and test.
Cons
Network performance can be unpredictable: Data will be traversing the public internet, which is best-effort by nature. You’ll have to manage the routing or load balancing to avoid bandwidth throttling. For workloads that require more reliable application performance, you’ll likely need connections that are more stable and have higher bandwidth.
Security vulnerability: VPNs are more vulnerable to Border Gateway Protocol (BGP) hijacking than a dedicated connection on a private network.
Data transfer costs: You’re also likely subject to higher egress fees, though the leading cloud providers are starting to waive them under some circumstances.
Best For
Applications that are not mission- or business-critical: Examples of applications for which network performance can be best-effort include cloud storage and interoffice email and messaging.
Managed VPN
An alternative to a simple VPN connection is to use the managed VPN service of a cloud service provider. This option encrypts your traffic and lets you transfer data between private IP addresses. Each of the hyperscalers offer their own managed VPN services (e.g. AWS Site-to-Site VPN, Azure VPN Gateway, and Google HA VPN).
This video shows you how to configure a managed VPN from Google Cloud for high availability.
Pros
Improved security: A managed VPN adds encryption and uses private IPs.
Cons
Network performance can be unpredictable: Data moving through a managed VPN still goes over the public internet. For higher bandwidth use cases, you can deploy multiple VPN tunnels to improve throughput, but that means you’ll have to spend time managing them to make sure they don’t break.
Best For
Applications that deal with sensitive data: Examples include the cloud storage of patient records for a healthcare organization or historical employee data for a conglomerate.
Partner interconnect
A partner interconnect, also known as a hosted cloud connection, is a fast way to connect your multi-cloud infrastructure via a CSP’s private, direct connection service (e.g. AWS Direct Connect, Azure ExpressRoute, and Google Cloud Dedicated Interconnect).
A partner interconnect uses a virtual circuit to a port that is already connected to a CSP’s edge device. This port is shared, meaning that others might be using the circuit at the same time.
Pros
Fast provisioning: A partner interconnect or hosted cloud connection can be provisioned virtually in less than ten minutes on a software-defined networking portal like PacketFabric’s.
Greater reliability: Unlike VPNs, a partner interconnect typically comes with Service Level Agreements (SLAs) when used with redundancy.
Stronger security: Connecting multi-cloud via a hybrid multi-cloud network design enables security teams to run their data security policies at their on-prem data centers.
Cons
Increased latency from backhauling traffic: Because the port is shared with other companies, a partner interconnect is best used for low-bandwidth (sub-10G) use cases. Increased latency may also be an issue as transferring data out of one cloud back to an on-prem data center and then out to a second cloud increases the distance data has to travel. This practice is called hairpinning or traffic backhauling.
Best For
Mission- or business-critical applications: Connecting multi-cloud with partner interconnects works well for applications where network performance and security are high priorities. Examples include the production environment of a banking app or connectivity to point-of-sale systems.
Dedicated cloud connections
A dedicated cloud connection is a port provisioned exclusively for your use. Once provisioned, a cross connect must be installed between your dedicated port and a CSP’s edge device in a data center with a cloud on-ramp. The following diagram shows you how a dedicated cloud connection works on PacketFabric’s carrier-grade network.
Pros
Optimal network performance: A dedicated cloud connection is designed for network teams that have important cloud workloads that require optimal application performance all the time and therefore need high-bandwidth, dedicated connections.
Cons
Increased provisioning time: Provisioning of a dedicated cloud connection can take a couple of days because a cross connect has to be installed between a port and a CSP edge device within a data center with a cloud on-ramp. While installation time for a dedicated cloud connection is longer than setting up a VPN connection or a partner interconnect, it’s still typically much shorter than the weeks or months it might take a telco to install a private line.
More expensive: A dedicated cloud connection is also more costly than a partner interconnect because the port is exclusive and the cost of the cross connect must be factored in.
Best For
Mission- or business-critical applications with stringent security and compliance requirements: Examples include financial institutions, state and local government, or medical organizations.
Cloud Routers
Using Cloud Routers can be a way to connect multi-cloud environments together while reducing the number of cloud connections you need. Cloud Routers provide private connectivity at layer 2 and layer 3.
Here’s an example of PacketFabric Cloud Routers connecting four different CSPs in four different regions in a Layer 3 Virtual Connection Mesh.
Pros
No hardware: There’s no customer physical equipment involved because Cloud Router instances are virtual.
Lower latency: When partner interconnect or dedicated cloud connections are used to connect your cloud regions to a Cloud Router, the traffic is directed over a private and secure network instead of the best-effort public internet.
High bandwidth: High-capacity cloud routers like PacketFabric’s 100G Cloud Router can enable high-bandwidth data transfer between clouds, speeding up data migrations and optimizing network performance.
Cost-effective NAT functionality: Cloud Routers can also serve as Network Address Translation (NAT) devices, giving customers an alternative to cloud NAT gateways, a managed service that can be very expensive when transferring large amounts of data because the pricing is metered by bandwidth and time used.
Cons
Less control: Cloud Routers are mostly hands-off solutions for the customer. Some customers prefer to manage their own equipment, perhaps for compliance reasons. Some customers may want to backhaul traffic to on-premises infrastructure, where they can apply security policies.
Best For
Multi-cloud applications: Cloud Routers are best for application workloads running in different clouds that need to speak with each other.
Need help interconnecting multi-cloud?
With many companies using three or more cloud service providers and so many options for multi-cloud interconnection, multi-cloud network connectivity can get complex quickly.
We’ve helped customers redesign their cloud networks to be more performant, cost-efficient, and easier to manage. If you’d like to talk to one of our sales engineers or get a product demo, don’t hesitate to reach out.