Cloud Migration Part 2 - Infrastructure Configuration
At this point in your cloud migration, your team has completed the planning phase and has defined how their governance policies will be implemented. The next step is for your team to begin architecting the infrastructure configuration.
No matter what your migration approach is, you will require some amount of initial cloud infrastructure to support the resources that you plan on deploying. This can be broken down into a few different phases: networking, connection, security, and authentication.
Starting with networking, unless you are planning to only use publicly accessible cloud services (not recommended), you will need to use virtual networking in the cloud to support your environment. Your team should start by gathering inventory of your current network environment. What’s your current IP space? What’s your subnetting strategy? How does your network routing work? How could you extend these existing strategies to the cloud? Virtual networking in the cloud works very similarly to on-prem networking strategies, so it should not be difficult to keep your existing networking strategy in place.
How will your existing IT environment connect to your cloud environment? How will your users connect to your cloud resources? The answer to these questions is dependent on your migration strategy. Do you intend on having a hybrid environment, where you keep some on-premises presence or will you be going cloud only? If you have a hybrid environment, you could connect your existing environment to the cloud by just using the cloud’s default VPN service, a direct connection from your datacenter/office (verbiage dependent on the cloud you choose), or by building VPNs between your existing firewall(s) and firewall(s) you deploy in the cloud. If you are a cloud only environment, you could enable access to cloud services just by certain IP ranges, but you likely will have to create some sort of network connectivity. For your users, assuming you have an office with corporate networking, you will have to build connectivity from that network to your cloud environment. If you have a hybrid environment, the network connectivity methods are easily extendable to your user base. If you have a cloud only environment, you will have to decide if you want people to publicly connect to resources while you lock down the resources to specific IP ranges or if you want to create some sort of network connectivity to give you more control over the network traffic to your resources.
Security could have its own blog (and might later), but I will focus specifically on infrastructure related security here. The first question you should be asking is what are your current security policies and do you want to extend them to the cloud? Generally the answer to that question is yes, but oftentimes mirroring exactly what you do on-prem in the cloud prevents your company from benefiting from the full value the cloud offers. An example of this would be preventing outbound internet access for cloud resources, while this might be OK in some situations, as you get away from IaaS and deeper into hybrid and PaaS services, you will be limiting some of the features you can use with those resources. The cloud offers various ways to secure your infrastructure, including services native to the cloud that limit access to certain resources using ACLs, routing protocols, WAFs, and more. If you have existing firewalls and you want to extend the protection they give you to the cloud, all major firewalls are offered in cloud marketplaces. While the configuration of these resources works a little bit differently than it does on-prem, you will easily be able to replicate your existing security policies to the cloud if that is what you desire.
People don’t often relate authentication to infrastructure, but when it comes to the cloud it is certainly related. There are different cloud offerings that enable you to use cloud specific domain services that are managed by the cloud provider and don’t require infrastructure. However, most companies have existing domain services that they would like to extend to the cloud, and sometimes infrastructure-based domain services are required for proper authentication to some resources. An example of this is some IaaS services do not support cloud-managed domain services for authentication, where PaaS services do. On the other hand, any cloud service that you use could enable your users to authenticate to your cloud services. At the end of the day, it comes down to what strategy your company prefers, and how much management of the infrastructure your team can handle.