1.8 Summarize Cloud Concepts and Connectivity Options
- Deployment Models
- Service Models
- Software as a Service (SaaS)
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Desktop as a Service (DaaS)
- Infrastructure as Code
- Connectivity Options
- Virtual Private Network (VPN)
- Private-Direct Connection to Cloud Provider
- Security Implications
Types of Service
What is the cloud? It’s a concept where we outsource our computing resources to a third party and then connect to it remotely. Somebody else manages our infrastructure and we don’t have to worry about it (in theory). How do we pay for the cloud? How do we receive services? There are a few general models.
SaaS or Software as a Service is a concept where we pay for the right to use a software application. Somebody else takes care of writing the software, hosting the software, and backing up the data. Our only responsibility is to use the software. The software might be entirely web based or include components that are installed on our computers/phones. We don’t have to worry about the physical hardware. Examples of SaaS include Salesforce, Microsoft Exchange Online, and Office 365. SaaS is typically billed on a per user per month basis.
IaaS or Infrastructure as a Service is a concept where we pay for the right to use different hardware components. For example, we can rent different server types from Amazon Web Services’ EC2, or we could rent DNS services from Route 53. IaaS is usually charged on a per device per hour (or per month) basis. For example, a server might cost $0.35 per hour. If I buy an EC2 server it may come with a license for an operating system, such as Windows Server 2019 (for a higher hourly rate), or I could buy it “bare metal” and install my own operating system.
BYOL (Bring Your Own License) is a concept where we can transfer our operating system licenses to the cloud infrastructure. This avoids us having to pay a monthly rental cost for operating system licenses that we already own. A Windows Server license could cost upwards of thousands of dollars per server.
The cloud allows us to mix and match different hardware components so that we can build the type of infrastructure that we require, but we usually have to choose from the hardware combinations that the cloud service provider has. IaaS allows us to pay for only what we use. If we use a server for five hours, we pay for five hours (unless the service provider has minimum charges).
Increasingly, vendors of proprietary network equipment such as Cisco and Bomgar sell virtual images of their equipment that can be loaded into the cloud. Thus, you can build an entire virtual LAN in the cloud complete with servers, routers, firewalls, and load balancers, and pay for what you use, without having to touch any physical infrastructure.
PaaS or Platform as a Service is a hybrid between the SaaS and IaaS. In PaaS, we don’t have to worry about the hardware. We simply upload the applications we want, and the cloud provisions the necessary hardware to run them. We are still responsible for configuring the applications and backing up their data. An example is Amazon Hadoop. PaaS is typically billed on a per hour per resource basis. For example, we could be billed for each GB of data we store each month, or we could be billed for processing capacity we use. We can reduce our costs by using or writing more efficient applications.
DaaS or Desktop as a Service is a new offering where an office’s computing infrastructure is stored in the cloud. It is also known as Desktop Virtualization. You can think of it like having a monitor, mouse, and keyboard at your desk but no computer. Your actual computer is in the cloud. In reality, you have a computer or thin client (a computer with no operating system). But your files, software applications, and desktop are located on a cloud server. You remotely connect to the cloud server via RDP, Citrix, or another type of application.
The main benefits of DaaS
- Centralized hardware – our computing infrastructure is stored in the cloud. One server might host desktops for twenty to fifty people. This reduces the need for computer resources.
- Standardized hardware – since each user needs only a thin client or basic computer, monitor, mouse and keyboard, we can use cheaper standardized hardware. We don’t need to stock multiple types of devices or spend money on expensive desktops.
- Security – the devices that users use to connect to the remote desktop won’t store any data so we don’t have to worry about data leaks if they getting lost or stolen.
- Flexibility – you can log in to your desktop from multiple computers and not lose any data or program sessions. You will resume work exactly where you left off.
- Disaster recovery – we can move our workforce to another location and quickly have them back to work. Users can also work from home. The computing infrastructure is centralized, and cloud technology allows us to replicate it to multiple zones.
The main disadvantages
- Standardized hardware – users are forced to use a standard type of computer hardware
- Internet access – users are unable to use the DaaS when on the road or when access to the internet is interrupted. When the latency is too high (poor internet connection quality) the user experience will be affected.
The cloud is defined by three concepts
- Multitenancy – multiple users and customers have access to the same physical infrastructure or software. When you rent a server from AWS, you are renting a portion the physical infrastructure in the AWS data center. You might be renting a virtual server that is hosted on a physical server, and that physical server might have several other virtual servers belonging to other clients.
- Scalability – we can increase the workload without affecting performance of the application. We can do this by ensuring that we have enough capacity in our hardware (virtual hardware) for our application to grow. Scalability relates to the software layer in that the software layer can grow without issues either using the existing hardware or with additional hardware. A scalable system guarantees that the software will continue to function at a peak load (there is enough hardware available).
- Elasticity – elasticity ensures that we fit the amount of resources to the demand posed by the software. Elasticity grows or shrinks the underlying hardware in response to demand from the application.
Elasticity is more cost effective than scalability because we only pay for what we use, whereas scalability requires us to pay for the maximum amount of resources that we will eventually require. Elasticity can be difficult to implement if we are not able to predict the amount of resources that will be required or if we are unable to add resources in real time.
For example, if our application requires 100 servers during regular operation and 200 servers at peak capacity, we can always ensure scalability by having 200 servers. If we need 101 servers, then we already have capacity. If we need 102 servers, then we have capacity. As the needs of the application grows, the underlying hardware is already available to keep it operating. The problem is that we are paying for 200 servers even when we are only using 100 of them.
With elasticity, we keep 100 servers until we need 101 servers. Then we add another server. When we need 102 servers, we add another server, and so on. The problem is that the time between when we realize that we need 101 servers and the time that we buy another server is time that the application will perform poorly.
The best way to implement elasticity is to maintain a buffer zone. We should think about how rapidly the needs of the application will change and build a buffer zone based on that time. For example, if we have a buffer of two servers, then when we need 100 servers, we rent 102 servers. When we need 101 servers, we add another server and now we have 103 servers, and so on. When the application demand drops, and we only need 100 servers, we shut down one server, and have only 102 servers.
Cloud Delivery Models
There are different cloud models.
A public cloud is available to the public. The hardware resources inside a public cloud are shared amongst all customers, which improves efficiency and reduces cost. Multiple customers may be provided access to the same physical server without realizing it (cloud software should prevent data leaks)
A private cloud is built by one organization for its internal use. A large organization can use a private cloud to share resources amongst different departments. For example, a large city can merge the computing resources of its engineering, fire, police, and road repair departments. Instead of having each department purchase and maintain its own hardware, all the departments pool their resources, resulting in reduced costs. Each department can rent a portion of the cloud and be charged accordingly.
A hybrid cloud is a mix of a public cloud and a private cloud. A company may decide that some applications are t*oo sensitive to host on a public cloud, or that some applications will not run properly when they are off site but would like to take advantage of the public cloud. Applications/infrastructure that can run on the public cloud are placed there, and remaining applications/infrastructure are placed on a private cloud.
Infrastructure as Code (IaC) is a concept where we can deploy servers and other infrastructure through software code instead of manually setting them up. The cloud computing provider physically installs hardware including large servers and storage appliances. Then they make available virtual “instances” of server types. We can then write code to deploy the specific instances that we need.
IaC has some advantages
- We can deploy infrastructure quickly and automatically
- We can deploy infrastructure in a standardized manner – that means that there is less room for human error
- If we are building an application (such as a website) that must scale up and down frequently, we can write code to deploy more infrastructure when we need it and shut them down. This allows us to pay for only the infrastructure that we need at the time that we need it.
Connectivity Methods / Relationship Between Local and Cloud Resources
How do we connect to the cloud? Devices in the cloud might have their own public IP addresses. An internet connection is the easiest way. We could connect to a cloud server via Remote Desktop Protocol, or we could connect to a database via SSH. Other types of applications may have web-based interfaces.
What if my cloud resources are vital to the organization or what if I need to move large amounts of data? I could create a direct connection between the cloud and the local network via a WAN or VPN. The cloud service provider would need to set up a WAN or VPN connector on their own network so that the two networks can communicate. With a WAN or VPN, devices in the cloud behave like they are on the local network. This is the best approach for a corporate cloud.
If you need to move lots of data into the cloud, you can physically ship your storage appliances (or hard drives) to the cloud where they can be copied. AWS (Amazon Web Services) offers a semi-trailer called the Snowmobile that is full of storage appliances. They drive it to your office. You connect it to your network and fill it with data. Then AWS takes the semi-trailer back to their data center and unloads the data into your account. The Snowmobile can store up to 100PB of data.
How can we protect our cloud information? Keep in mind that the cloud is under the physical control of a third party and that they might be able to access it, and that we are sharing the same physical hardware with other users. Consider the following
- Use multi-factor authentication when connecting to the cloud
- Set up firewalls to protect the cloud infrastructure and deny all traffic except for what is necessary
- Internal devices such as database servers should only connect to other cloud devices and not the internet
- Install required security updates regularly
- Use dedicated hardware (hardware not shared with other users) when available and cost-effective. This reduces the risk that another user can see your data if there is a security hole in the underlying hypervisor.
- Encrypt all data in use and at rest, and store decryption keys externally where possible
- Ensure that you have the legal right to store customer data in the cloud. It may be illegal to transfer customer’s personal information to a cloud if it is in a different country than your own.
- Ensure that the cloud storage provider is audited and perform inspections of their facility if possible.