Seamlessly Extending the Data Center - Introducing Amazon Virtual Private Cloud
At this 3rd anniversary of the launch of Amazon Elastic Compute Cloud (Amazon EC2), it is amazing to see the impact this service has had on the industry. It is truly disruptive technology and its impact has reached far beyond a pure technology offering as the benefits of the cloud have changed the way we view IT Infrastructure. As one of the CIOs at the ACM Cloud Computing Roundtable summarized it: "IT used to be the blocker in anything we did, but with our shift to the cloud IT is now the enabler." From young businesses and established enterprises to hospitals and governments agencies, all are equally enthusiastic cloud customers for whom IT infrastructure has changed forever.
Even though we keep rolling out new services and features, and several existing AWS services are already very successful, this is still Day One. We are only at the brink of what is possible to deliver in the cloud and at Amazon we continue to innovate to make this future a reality.
We continuously listen to our customers to make sure our roadmap matches their needs. One important piece of feedback that mainly came from our enterprise customers was that the transition to the cloud of more complex enterprise environments was challenging. We made it a priority to address this and have worked hard in the past year to find new ways to help our customers transition applications and services to the cloud, while protecting their investments in their existing IT infrastructure.
Protecting investments during the transition
Most enterprises with a datacenter practice have invested significantly over the past decade into the management of their systems and applications. CIOs of Fortune 500 companies are responsible for hundreds if not thousands of applications running in a variety of locations. Keeping track of those resources and managing access to them is a daunting task that continues to require significant investment.
The CIO of a large financial services company in the Northeast explained to me that his teams manage close to 3000 applications and services in 27 different locations. Consolidation of applications, resources and locations is a process that never stops in a world where mergers and acquisitions happen frequently. For him the cloud is attractive as a target for his consolidated services: it allows him to significantly reduce both his capital and operational costs, while gaining significant flexibility and reliability with resources that are globally distributed, without the headache of owning and maintaining them.
He has set the guideline that their current data center infrastructure should not expand any further and that all new development will target the cloud. He expects that the process of moving his existing applications and services to the cloud will take time to complete, as his road map is driven by many internal and external factors. And there are certainly some legacy applications that may never move. He has set the goal of moving 20% of his applications into the cloud by the end of 2010, but to meet this goal he needed to find a solution for a significant obstacle: how to integrate applications running in the cloud into his existing management frameworks. In his world, this especially applies to those management practices that manage policy-driven access controls and required, cross-application regulatory auditing.
This story is typical of many of the conversations I have had with CIOs around the globe. They have bought into the cloud as a target for a significant portion of their services, as the benefits are too obvious to ignore, and most expect that their transition will be a continuous process. They would accelerate the adoption of cloud services if they could access a form of cloud that would give them the best of both worlds: the flexibility and cost-effectiveness of accessing a virtually infinite pool of resources without owning it, while being able to integrate those resources into their existing datacenter environments such that they could continue to leverage existing investments in their management and control infrastructure.
Private Cloud is not the Cloud
These CIOs know that what is sometimes dubbed "private cloud" does not meet their goal as it does not give them the benefits of the cloud: true elasticity and capex elimination. Virtualization and increased automation may give them some improvements in utilization, but they would still be holding the capital, and the operational cost would still be significantly higher.
I often get asked to define "The Cloud," especially because of the many permutations that different vendors use in trying to make their existing businesses look like a cloud offering. I define the cloud by it benefits, as those are very clear. What are called private clouds have little of these benefits and as such, I don't think of them as true clouds.
The cloud:
- Eliminates Cost. The cloud changes capital expense to variable expense and lowers operating costs. The utility-based pricing model of the cloud combined with its on-demand access to resources eliminates the needs for capital investments in IT Infrastructure. And because resources can be released when no longer needed, effective utilization rises dramatically and our customers see a significant reduction in operational costs.
- Is Elastic. The ready access to vast cloud resources eliminates the need for complex procurement cycles, improving the time-to-market for its users. Many organizations have deployment cycles that are counted in weeks or months, while cloud resources such as Amazon EC2 only take minutes to deploy. The scalability of the cloud no longer forces designers and architects to think in resource-constrained ways and they can now pursue opportunities without having to worry how to grow their infrastructure if their product becomes successful.
- Removes Undifferentiated "Heavy Lifting."The cloud let its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure. Over time Amazon has invested over $2B in developing technologies that could deliver security, reliability and performance at tremendous scale and at low cost. Our teams have created a culture of operational excellence that power some of the world's largest distributed systems. All of this expertise is instantly available to customers through the AWS services.
Elasticity is one of the fundamental properties of the cloud that drives many of its benefits. While virtualization has tremendous benefits to the enterprise, certainly as an important tool in server consolidation, it by itself is not sufficient to give the benefits of the cloud. To achieve true cloud-like elasticity in a private cloud, such that you can rapidly scale up and down in your own datacenter, will require you to allocate significant hardware capacity. While to your internal customers it may appear that they have increased efficiency, at the company level you still own all the capital expense of the IT infrastructure. Without the diversity and heterogeneity of the large number of AWS cloud customers to drive a high utilization level, it can never be a cost-effective solution.
We have been listening very closely to the real requirements that our customers have and have worked closely with many of these CIOs and their teams to understand what solution would allow them to treat the cloud as a seamless extension of their datacenter, where their standard management practices can be applied with limited or no modifications. This needs to be a solution where they get all the benefits of cloud as mentioned above while treating it as a part of their datacenter.
Introducing Amazon Virtual Private Cloud
We have developed Amazon Virtual Private Cloud (Amazon VPC) to allow our customers to seamlessly extend their IT infrastructure into the cloud while maintaining the levels of isolation required for their enterprise management tools to do their work.
With Amazon VPC you can:
- Create a Virtual Private Cloud and assign an IP address block to the VPC. The address block needs to be CIDR block such that it will be easy for your internal networking to route traffic to and from the VPC instance. These are addresses you own and control, most likely as part of your current datacenter addressing practice.
- Divide the VPC addressing up into subnets in a manner that is convenient for managing the applications and services you want run in the VPC.
- Create a VPN connection between the VPN Gateway that is part of the VPC instance and an IPSec-based VPN router on your own premises. Configure your internal routers such that traffic for the VPC address block will flow over the VPN.
- Start adding AWS cloud resources to your VPC. These resources are fully isolated and can only communicate to other resources in the same VPC and with those resources accessible via the VPN router. Accessibility of other resources, including those on the public internet, is subject to the standard enterprise routing and firewall policies.
Amazon VPC offers customers the best of both the cloud and the enterprise managed data center:
- Full flexibility in creating a network layout in the cloud that complies with the manner in which IT resources are managed in your own infrastructure.
- Isolating resources allocated in the cloud by only making them accessible through industry standard IPSec VPNs.
- Familiar cloud paradigm to acquire and release resources on demand within your VPC, making sure that you only use those resources you really need.
- Only pay for what you use. The resources that you place within a VPC are metered and billed using the familiar pay-as-you-go approach at the standard pricing levels published for all cloud customers. The creation of VPCs, subnets and VPN gateways is free of charge. VPN usage and VPN traffic are also priced at the familiar usage based structure
- All the benefits from the cloud with respect to scalability and reliability, freeing up your engineers to work on things that really matter to your business.
For more details on Amazon Virtual Private Cloud, visit the Amazon VPC detail page and the posting on the AWS developer weblog. For how our partners view Amazon VPC see for example the posting at RightScale
And happy birthday to Amazon EC2!
3 TrackBacks
Listed below are links to blogs that reference this entry: Seamlessly Extending the Data Center - Introducing Amazon Virtual Private Cloud.
TrackBack URL for this entry: http://mt.vogels.net/mt-tb.cgi/141
Amazon has launched a new endeavor that integrates traditional IT infrastructure with its EC2 cloud service Read More
The Virtual Public-Private Cloud Connection Read More
Subscribe to this weblog's
Hi Werner, great article and I will use some facts for my presentations - today we have a round table discussion about cloud computing and I will mention your article. What do you think about this article: http://www.computerwoche.de/management/cloud-computing/1904005/?r=155621518410818&lid=51584
With best regards,
Claus Peter
twitter: cpneff
Great news!
VPNs come in different flavors; you have 2 possible technologies for site to site VPNs:
1 - MPLS VPNs
2 - IPsec VPNs
Which type are Amazon VPNs? I was not able to decipher available documentation to clarify this.
Thanks
This is great! My architecture will be much simpler now. Before I was using Amazon for my public cloud and preparing to use another vendor for my virtual private cloud. I was worried about managing multiple SLAs and was also worried about the longevity of the private cloud vendor candidates. This makes things simpler and is likely a faster method of transmitting data between public and private cloud. Thanks for listening to your customers!
@Jacques
#2 IPSec- "Create a VPN connection between the VPN Gateway that is part of the VPC instance and an IPSec-based VPN router on your own premises."
Great work.. We are discussing Amazon VPC applicability to OpenVPN Cloud at OpenVPN Technologies, Inc. (www.openvpn.net)
Werner,
I applaud your company and the vision it has shown in defining this new paradigm for our industry. There are indeed great benefits for companies small and large from the original EC2/S3 solution and your moves towards a more enterprise-friendly solution will accelerate corporate adoption.
I wish to take issue, however, with your assertion that "The Private Cloud is not the Cloud". Take a typical situation for a large corporate, with many fixed cost data centers on long term contracts (leased or owned) and say 20,000++ x86 servers (as mine). For such a company, a private cloud makes absolute sense as an intermediate solution to optimize the business model, and potentially as an end-state for the mid/long term. Equally, depending on the exact situation, a hybrid internal/external or a fully external end-state may be the right solution. In other words - your mileage will vary depending on scale, workload behavior and the skills of your IT team.
Let's explore this 'Private Cloud' a bit further to work through this argument. For the benefit of anyone who is unclear about what we are referring to here, I define a 'Private Cloud' as a group of internal x86 assets (blades, servers, IBM iDataPlex, whatever) deployed or repurposed with virtualization to make a flexible resource pool, and then overlaid with automation and service portals to make an internal utility that is self-servicable and highly cost-effective from an administration perspective. Linked to the concept is the idea of limited-lifetime workload images (to re-assert standards by spinning up a new clean build, reinstantiate=not-patch mindset) and 'if it breaks, spin a new one' to minimize fault-diagnosis. (Nothing different here than the external cloud by the way - same principles bring the same benefits).
OK, so let's also define this Private Cloud by business benefits, as Werner suggests. This Private Cloud also eliminates cost. How so? It eliminates the serial purchase pattern for dedicated servers (e.g. 3 months to procure and install), replacing it with a much more predictable bulk purchase and install cycle (plus reverse auctioning batches of servers at quarter-ends if you want to get really focused!). It eliminates early-provisioning behavior (caused by lack of predictability if you don't trust the server will be installed in time), over-provisioning (if I can only buy one physical server, it better be a big one!), and underutilization (that business growth plan was REALLY optimistic, right?). OK - these are all really side-effect benefits of virtualization, but implemented on top of a flexible hardware procurement pool and with an IT infrastructure team transitioning to a service provider mindset. Note that by continuing to soak up sunk cost in fixed-cost DC's (in fact - utilizing all the capacity to really sweat the assets before cloud-bursting externally), this optimizes the cost profile for the corporate (i.e. why leave your fixed DC asset underutilized to just add external costs per hour?). Now, for particular usage patterns (e.g. burst temp usage), you can make the case that the external solution is way more cost-effective, and for others (e.g. lots of low-utilized 24 x 7 instances) the internal solution is way more cost-effective. The point is that your optimal solution may be different to mine or the next guy's.
Next - this Private Cloud is Elastic. Let's face it - we are talking about a finite resource regardless if it's in an Amazon DC or a private one. The property you are trying to create is the semblance of unlimited capacity by having enough 'liquidity' or tappable resource to absorb all reasonable resource demands within the lead time of being able to grow the resource. An interesting thing happens when you scale a VM farm from 100's to 1000's to 10's of thousands. Volatility decreases. As on a mainframe 20-30 years ago, you get the balancing out of aggregate performance demands (some over-using, some under-using their allocations) and the trend of the whole farm becomes much more predictable. For x86-guys, they may get really nervous running an average of 80% loaded. For mainframe guys, they would probably not sweat a 92% loaded box, with a volatility of under 1% and growth of say 0.5% per quarter. I.e. with professional planning and some statistical analysis, you can sell elasticity to internal clients from a fixed asset base just the same way as an external cloud provider can deliver.
One of the nice properties for corporate DC's for the next 5 years is that as we transition to the benefits of increasingly multi-cored servers and gain the windfall benefits of ramping HW utilization via virtualization, we all have 10x to 20x capacity ready to grow in to. That's right ... corporate DC's are actually running at single-digit capacity utilization even if you *thought* it was completely full! (I.e. take out 20 x 5 year old servers, consolidate to one server, driving utilization up and gaining huge power advantages to boot). So there's loads of room for that elasticity to soak up that available power, and the nice thing is that it can be added in modular increments at almost expensable levels (say $2K or less a server).
The internal cloud also 'Removes Undifferentiated Heavy Lifting'. In a professional corporate DC operation (again in the 20K+ server scale), with disciplined refresh (say 3 years or 4 years), then it's a normal thing to replace 25%-33% of servers each year. This is for sure "heavy lifting" today, because much of the environment is still physical. But as the virtualization layer slides into the stack over the next refresh cycle (as of course it would also have to in order to exploit an external cloud), you get all the benefits of abstraction of hardware from workloads. When this happens, we the internal cloud gains the same transition flexibility as the external cloud (Vmotion anyone?)
I make these points in order to balance the discussion. In no way do I argue against the immense value of cloud-centric thinking, but I argue for a balanced internal/external/hybrid discussion, especially as these services start to address the professional corporate space.
Regards,
David S
You can deploy VPNs in EC2 with EITHER IPsec or your OWN data center-controlled security. Check out CohesiveFT's VPN-cubed http://www.cohesiveft.com/Cube/VPN/VPN-Cubed_Custom_Enterprise_Configurations/
@David S: You define "private cloud" as "a group of internal x86 assets [deployed] with virtualization [as] a flexible resource pool". That fits with the consensus. Let's call a spade a spade shall we - the evolution of virtualisation is NOT cloud. It doesn't need to be cloud either - we have a perfectly functional word for it: virtualisation. I've just about had it with the private cloud parade jumping on the bandwagon so in the immortal words of the Rolling Stones: "Hey! You! Get off of my [our] cloud!".
Remember the cloud symbol was first introduced in network diagrams to indicate that which is handled by others (e.g. telcos) - where early network diagrams included every node and link, the introduction of MPLS services et al allowed us to dispense with most of the complexity. Same for cloud - a *third party* provider like Amazon takes care of the details and I can get back to making widgets. That can at best be emulated by "I can't believe it's not cloud", and even then it's a poor replica (like a fake Rolex).
I can only assume that someone willing to write a 1,000+ word essay on why they should be invited to the party is somehow involved with the sale of "private cloud" (as is usually the case). Apologies for being terse but enough's enough already - we've heard what you've got to say and ultimately customers are ready for cloud and will vote with their feet (mark my words).
Echoing what Appirio have to say on the subject: Private Clouds aren't Clouds and Public Clouds aren't Public.
Sam
You guys continue to rock. Nice work as always.
Amazon EC2 was futuristic when it was launched. It continues to be so. A startup whose Board I sit on is eyeing its use.
If we define ‘Cloud’ as fully elastic, cost effective solution to deploy and manage business applications, then private data centers should not be called ‘True Private Clouds’. Private data centers could be fully elastic in nature to support dynamic resource demands of the business applications, but the cost to keep the resources stand-by will increase CapEx. So, the cost of bringing elasticity in the private data centers is directly proportional to the benefits, which is not cost effective approach. This equation is right for ‘Seasonal’ business applications, as well as those reacts suddenly to external events. Seasonal business applications such as online ‘E-card’ portals or ‘Online-shopping’ portals, or ‘Online Florist’ . . . others like news and media supporting online applications, workload depends on the external factors, viz., Stock Market fluctuations, and other breaking news. These kinds of applications will have fluctuating resource demand to meet unpredictable dynamic business workloads. But I think a private data center could be transformed into considerably ‘Good Private Cloud’, if the organization has good IT resource governance in place to support the business applications and workload behavior, understand nature of the business and vision of the organization. One of the solution to achieve it, if the organization transform IT support department into profit center from cost centre, by implementing effective chargeback system to various business units for the services it provides. This will considerably bring down the CapEx of to bring the elasticity in the data centers.
Hi Werner
Just a heads up ... competitors seem to be making false claims about EC2 performance.
http://www.joyent.com/joyeurblog/2009/09/08/benchmarking-joyent-pricing/