Virtual Private Cloud service which can create an IPsec tunnel (authentication of both extremities and encryption of transported information) between an Amazon Data Center and your 'on-premise' IT. According to Amazon, this functionality requires 7 % of additional use of network bandwidth due to encryption and encapsulation.
source : http://aws.amazon.com/
This service needs an advanced router, compliant with IKE (Internet Key Exchange) protocol to exchange security attributes in relation with the VPN setup, or BPG (Border Gateway Protocol) Peering to define network routes between Amazon data center and your infrastructure.
The main advantage of IPSec tunnels' usage is beyond the transparency provided to applications,on Amazon side, VMs are not accessible from public Internet, but only by the VPN entry point. About the drawbacks, the setup of a VPN can imply important modifications of the network architecture (rules of filtering, sub-networks, distribution of bandwidth ...).
Currently, VPC service is in beta release with the following limitations:
To launch a VM, you need an image - Amazon Machine Image (AMI). So, the question is if a company must manage an hundred or more of VMs, how must it manage the AMIs at the origin of the VMs ?
Amazon proposes 3 options : inventory of AMIs, Light coupling AMIs and "Just-Enough OS AMI".
The inventory of AMIs is the first approach. An AMI if associated to a "type" of VM : OS, technical stack and code are fixed. Several VMs can be started from the same image but suppose you have an "application server" VM and a second which is "database server" : you will have two different AMIs. As the company will adopt the Amazon cloud, the number of AMIs it will have to manage will increase. Problems will occur during updates : if you must apply a patch on an OS used by 30 AMIs, 30 AMIs should be created again once the update is done. Same thing for the technical stack and the applications!
The second method is to introduce a light coupling between the image of a VM and its final state. Now, the application is loaded during boot time of the VM : an AMI which contains an application server will load JEE archives on a previously set location(S3, file server ...). With this configuration, we avoid to bundle a new AMI to integrate new release of applicative binaries. For JAVA applications, this mechanism can simply be a Maven Command executed at startup to retrieve artifacts from a repository inside the company. In case of other technologies, we can imagine using a software versioning system (e.g : a SVN export) or a simple HTTP download (wget).
To finish, the last solution is to create AMIs containing only OS and the mandatory environment to run an automatized configuration tool like Chef, Puppet, CFEngine. During the launch of the VM, a parameter will indicate which configuration should be used (list of required frameworks, the applicative code, ...) and the VM will configure itself using scripts provided by the configuration tool.
The migration of licenses can be made in three distinct ways :
Several actors of public Cloud can intervene inside the same hybrid cloud. Reasons can be:
However, each platform has its specificities, its own services, its proprietary APIs and the possible answers presented in this article, based on AWS could not apply to other IaaS offers and reciprocally.
Even though some initiatives of partnerships (between VMWare and Google for example) favor the development of standards, Cloud market is far from offering common services and APIs. Thus the multiplicity of used offers leads to increase the need of internal skills and an relative adhesion to the cloud providers. Ideally, we will limit the number of CLoud actors, prefering partners apt to answer the forthcoming needs, in terms of services and guarantees.