Blog > News & Analysis  | January 5, 2022 
TAGS: |

An Application-Layer Approach To Multi-Cloud Network Fabrics

Kurt Marko

This post was originally published on the Packet Pushers’ Ignition site on September 21, 2021.

It sounds trite to say that enterprise IT environments are multi-cloud, but the extent of cloud heterogeneity might shock those not paying attention. A recent survey found that 44 percent of organizations had more than half of their workloads deployed in a public cloud and 84 percent used more than one cloud provider. That’s about 37 percent of organizations with most of their workloads in a multi-(public) cloud environment. Whether it’s to access a unique or superior application (SaaS) or service (IaaS), improve business continuity, avoid lock-in to a single provider, or just the result of a business acquisition or rogue IT, there are both good and bad reasons for a multi-cloud architecture.

Regardless of the cause, a consequence of a multi-cloud design is a more complicated network and increased difficulty managing, monitoring, and debugging network and application performance. As I wrote in May,

“The benefits of a multi-cloud infrastructure come with a high cost: the crushing complexity of stitching together the various environments. As I pointed out last year, the multi-dimensional problem of network design and operations is the dirty little secret of multi-cloud strategies.”

Source: 2021 Virtana report; The State of Hybrid Cloud and Finops

 

Too often, the term “multi-cloud,” is assumed to mean “mulitple infrastructure clouds” like AWS plus Azure or Azure plus Google Cloud. However, according to recent Gartner estimates, spending on SaaS is 1.6-times that of IaaS and the largest single category of cloud services. Not only did pandemic-induced remote work lead to an explosion in the usage of videoconference and other collaboration applications, but a comparable increase in security spending, much of which now goes to cloud-based SASE, firewall, and authentication services. Indeed, multi-cloud is the consequence of several business, societal, and technical trends:

  • Organizations disinvesting in capital infrastructure (data centers) in preference for rentable, usage-based cloud services.
  • A broad and expanding array of packaged SaaS applications that started with productivity, collaboration, and backoffice titles like Office365, Slack and Salesforce and has expanded into networking (SD-WAN, NaaS), security (SASE, ZTNA), PaaS, and software development products.
  • Workforce and workload dispersion via universal WFH and the proliferation of edge computing. The spread of intelligent devices and sensors and the inefficiency of backhauling data to central data centers has prompted system architects to localize data collection and analysis and improve the performance of latency-sensitive applications via edge infrastructure.
  • The adoption of cloud-native microservice software designs that decompose monolithic applications into reusable containerized components. These microservices often use service meshes to communicate with one another and cloud services and, in multi-cloud environments, use resources in other regions and clouds.

The result is a complicated enterprise network environment with a web of connections between data centers, edge locations, remote users, and multiple SaaS and IaaS providers. As discussed in my earlier column, none of this is easy to implement, manage, or measure, making application performance subject to the vagaries of Internet bottleneck, wireless latency, and inter-cloud routing choices.

Source: Prosimo

Prosimo Targets Multi-Cloud Application Experience

Promiso is a new entrant to the multi-cloud connectivity market founded by the same team that created the Viptela SD-WAN product. The company emerged from stealth this spring with a $25 million Series A round and promised to improve the performance, security and manageability of modern applications via its AXI platform. Unlike other multi-cloud networking products, Prosimo builds on, rather than replaces, cloud transit services like AWS Transit Gateway or Azure VNet peering. As the company’s co-founder and CTO, Nehal Bhau wrote in a blog Prosimo is designed to (emphasis added),

“Solve at the right layer. The Prosimo solution functions at the optimal layer of the network stack. We’ve stayed away from operating at the network layer primarily because the multi-cloud connectivity problem has already been efficiently solved by cloud service providers. Another drawback of operating at the network layer is that the user’s identity, an essential piece of the puzzle, can’t be ascertained. We’ve also stayed away from operating at the visibility layer, so we don’t lose the ability to steer traffic in an optimal way. Based on the problem we’re solving and the manner in which we’re solving it, we’ve found it best to operate within layer 4 through layer 7 of the OSI model.”

Prosimo is designed for network architects dealing with the sprawling complexity of multi-cloud networks and “make it all work” while providing developers and users with the service levels they’ve grown to expect from monolithic applications running on internal infrastructure. Prosimo’s answer is the AXI (application experience infrastructure) platform, an application layer mesh network that securely connects users to application endpoints of any type — web apps, VDI, PaaS, SaaS — on any cloud.

Prosimo uses a classic SDN architecture with a cloud-based control plane called the AIR Engine and AXI edge nodes that onboard traffic. AIR Engine includes a zero-trust authentication layer (SX), network control element (XD), and an ML-enhanced optimization and recommendation engine (CIRRUS).

The components within these logical layers provide several key features;

  1. Edge endpoints in an organization’s cloud infrastructure with routing intelligence to onboard traffic from a CSP location (e.g. AWS us-west-1) to the AXI fabric at the location providing the best overall performance (proximity-based onboarding). AXI edges are delivered as cloud-native, Proximo-managed clusters with innate auto-scaling to guarantee performance.
  2. Traffic inspection to detect and block DDoS attacks and malicious packets.
  3. ZTNA with federated identity management (supports Okta, Azure AD, OneLogin, or any IDP with SAML or OAuth 2.0 support) with dynamic analysis to user behavior to block suspicion login attempts.
  4. Content caching, private CDN that provides pre-fetched content, connection pooling and data compression.
  5. Route path optimization between cloud locations and providers with three application-specific QoS settings that automatically configure L3-7 network settings.
  6. Multi-cloud backbone that builds on native cloud capabilities like AWS Transit Gateway, Azure VNet peering and Azure VWAN hub to provide connectivity across regions and VPCs (VNETs) without using IPSec or GRE tunnels
  7. Application health checks and accelerators including global L7 load balancing, SSL offload, WAF, and reputation-based IP filtering.
  8. Private peering flexibility with support for Internet-routed or private peering (Direct Connect, ExpressRoute) VPCs and VNets.
  9. App-to-app and user-to-app connectivity across cloud and regions with customized security and routing policies.

Prosimo AXI also includes a host of monitoring, management, and automation features including log streaming to third-party platforms like Splunk and Azure Sentinel, programmatic control using Terraform, and consolidated reporting of network performance that can be broken down by user and application.

A side benefit of Prosimo’s application-layer multi-cloud fabric is significantly better cross-cloud performance via its intelligent routing engine. Prosimo detailed application performance variability in multi-cloud environments in a recent report that showed “significant variance between CSPs across key routes [that can] impact app-to-app-performance.”

Furthermore, it claimed its path optimization algorithm was able to improve app-to-app performance over direct connectivity on half of all routes, “with up to 25% improvement for individual routes.” Indeed, the report finds that “multi-cloud delivers more than a 10% improvement compared to direct connectivity.” Prosimo’s data corroborates measurements ThousandEyes (now part of Cisco) has made for several years showing significant differences in inter-region and inter-ISP performance among the three major cloud providers.

As organizations expand their use of cloud infrastructure and application services, network performance between employees, applications, and the various services will become an increasingly significant part of overall application performance. Indeed, as organizations start funneling virtually all traffic through cloud security services, Prosimo found that they experience meaningful increases in latency as a cascade of network requests are dispatched to different cloud locations. It is imperative then that IT organizations expanding their multi-cloud footprint have a plan for managing and optimizing their cloud fabric and evaluate products like Prosimo AXI and its competitors.

“Inserting mid-mile SaaS infrastructure can slow performance. In the example below, one application, hosted on a single domain, experienced nine requests to a security services that added a total 342 milliseconds of latency.”

About Kurt Marko: Kurt was an IT analyst, consultant and regular contributor to a number of technology publications including Diginomica, TechTarget and AvidThink. Starting his career as an electrical engineer, Kurt spent the past 35 years providing deep reporting and analysis in networking and IT. Kurt passed away in January 2022.