Multi-Cloud Network Connectivity with Equinix Overview
A Cloud Operating Model describes the people, process and technology changes required to evolve an organization and effectively manage your cloud services. VMware Cloud based solutions run the same SDDC on AWS, Azure and Google Cloud and other hyperscalers in future. VMware Cloud on Dell combines the simplicity and agility of the public cloud with the security and control of enterprise-grade on-premises infrastructure, delivered as-a-service to data center and edge locations. VMware Cloud-based solutions strives to provide a consistent experience for managing infrastructure by leveraging the same processes and tools across service providers. There was however a gap between hyperscalers and on-prem private clouds. Our partnership with Equinix bridged the gap. Enabling VMware Cloud at all Equinix locations allows for seamless extensibility of infrastructure along with the benefits of sovereignty, security, latency, cost and control, yet be agile, scalable and provide a direct path if needed to hyperscalers.
Here are some of the customer pain points that we intend to address with this architecture:
- Need to balance security, flexibility, and control across both public and private clouds
- Network connectivity and latency issues
- Complex regulatory, security, and low latency needs
- High data transfer and connectivity costs
- Data and application mobility
- Remote workers and resources
- Expensive physical equipment and legacy infrastructure
- Long term commitments and setup time for secure private data connection into hyperscaler clouds that are only needed for short periods of time in many cases.
This guide is focused around the Equinix colocation at the center of the architecture. The architecture provides a fully meshed network design between customer owned datacenters, Equinix datacenters, public VMware Clouds and Edge/Remote Office Branch Office (ROBO) sites.
With Equinix serving as the customer’s network HUB, all connections to public and private clouds as well as Edge/ROBO sites are connected through the Equinix datacenter. In this design, the customer is interconnected to resources on the hyperscalers via Equinix Fabric, a private network with sub-1 millisecond latency to the hyperscaler locations, leveraging their respective private interconnection solution (i.e., AWS Direct Connect, Azure Express Route, etc.). The customer private cloud datacenters and Edge/ROBO sites are connected by private WAN connections, VPN’s or VMware SD-WAN to the Equinix datacenter HUB.
The customer can quickly provision network connections between clouds as needed without expensive long-term commitments to carriers or long wait periods for the network to get built out. This can reduce the network build-out from weeks or months to days, hours or even minutes.
Legacy Cloud Network Designs
In the legacy diagram (Fig-1 above), the approach for corporate networks has been to integrate public clouds into the design by leveraging existing infrastructure. This often results in Edge/ROBO sites using the same WAN connection back to the corporate datacenter to then route to public cloud environments.
In other cases, (Fig-2 above) there is no consistent way of making this connection and some sites may use private WAN connectors like MPLS to connect to the corporate datacenter but then have a separate VPN tunnel to connect to the public cloud environments.
Additionally, with ad hoc designs, (Fig-3 above) one site may have setup a public cloud connection as a project needed it for deploying services in the public cloud, as other sites required access to these apps and services, the sites were simply routed across the network using the original connection that was built out.
In all these cases, traffic is not optimized for a multi-cloud network. Congestion becomes an issue as traffic is passed across the network from different sites to reach the public cloud services or managing separate connections for each site becomes impractical and hard to meet corporate security compliance requirements.
A customer could optimize their public cloud connection by adding direct MPLS connections to the public clouds for all sites to use, but in many cases the use of these environments can be short lived and shifting rapidly from cloud to cloud. The customer may need to repatriate the applications to the company’s private cloud datacenter after the development process is over for compliance or may no longer need to keep the public cloud environment. This makes long term circuit commitments from the customers’ existing MPLS carrier directly to hyperscalers costly and time consuming to get in place for rapidly changing development and production environments.
Equinix Colocation Design
The Equinix colocation multi-cloud design allows the customer to add a redundant datacenter for Disaster Recovery (DR) and a HUB for the network. Each Equinix location is secure, has a high density of global, regional and local Network Service Providers and has multiple direct fiber links into the cloud hyperscaler networks with those network POPs residing inside Equinix. These direct Equinix connections, either physical cross connect or Fabric (virtual), can provide isolated direct access for customers hosting infrastructure in the Equinix datacenter directly into the public cloud.
The customer can deploy and manage their own routers, switches, and firewalls in Equinix leased private cabinet/cage locations or subscription based virtual routers and firewalls can be provided to the customer from the Equinix Network Edge platform services. Equinix can provide public Internet connections with static IP blocks through multiple available providers for redundancy.
VMware SD-WAN can be used to quickly setup customer private clouds to connect to the Equinix virtual SD-WAN connectors using the Equinix Network Edge platform service, so the customer does not need to deploy a physical SD-WAN device or need infrastructure to host an SD-WAN virtual appliance in Equinix. Alternatively, customers can also provide their own physical SD-WAN appliance and manage it in their rack or deploy a virtual SD-WAN appliance in the customers own cloud infrastructure rack hosted at Equinix. To streamline network routing for updates between the underlay and overlay network, the BGP routing protocol is supported by VMware NSX and SD-WAN appliances. This allows routing to automatically update across the multi-cloud networks as changes are made. This simplifies the moving of workloads and the addition of new sites without the need to manually create routes between the underlay and overlay networks.
The customers’ Equinix environment can be used as a central datacenter control plane for provisioning to public and private clouds as well as the connection end point for Edge/ROBO location. The establishment of this central HUB in the network provides customers with more flexibility to move workloads between clouds and across their corporate network as needed Equinix is an optimal location for a disaster recovery site, with the customer able to own and control the entire hardware and software stack in Equinix. This can allow the customer to meet regulatory and compliance needs of their organization.
With Equinix at the center of the design, the customer has a wide range of flexibility and easy access to a variety of networking options that can be quickly provisioned and torn down as needed. Below is a list of benefits to help provide and guide customers with additional details.
- World’s largest datacenter & interconnection provider
- End-to-end workload portability
- Hybrid infrastructure through private appliances or bare metal as a service
- Network Edge for quick network function deployments
- Consistent VMware skills & toolset
- Lift and Shift Applications without service disruption
- Single point of management for IaaS, CaaS, and SaaS Ops
- Secure and Resilient Cloud Stack
- Global and Regional Footprint of Data Center
- Equinix Fabric provides Public Cloud services access
- Reliable and broad instance portfolio
- Preconfigured VMware environments ensure SDDC access in minutes
VMware Cloud has been designed and engineered with AWS, Azure, and Google to allow customers to have the same VMware experience on the hyperscaler cloud environments, by using the same console (VMware vCenter) to manage dedicated cloud resources. Each VMware Cloud instance provides dedicated hardware to the customer, with the lifecycle of this hardware being fully managed by the cloud provider. This allows IT resources to concentrate on business-critical projects instead of infrastructure firmware and software updates.
Since all the VMware clouds use the same underlying technology to power private and public clouds your workloads are fully portable between all the cloud environments.
This makes it easy to migrate workloads from VMware private clouds to the public VMware Clouds without the need to reconfigure workloads to run in a different cloud environment. This is the same when migrating workloads from one VMware Cloud cluster to a different VMware Cloud cluster hosted on a different provider.
The ability to move between providers gives the customer choice and flexibility providing the best deployment solution for a workload. While all VMware Clouds run on VMware technologies the following outlines specific features available from each providers instances of VMware Cloud.
VMware Cloud on AWS: Jointly Engineered Cloud Service
- VMware SDDC running on AWS bare metal
- Delivered, operated, supported by VMware
- On-demand capacity and flexible consumption
- Operational consistency with on-premises
- Seamless, large-scale workload portability and hybrid ops
- Global AWS footprint, reach, availability
- Direct access to native AWS services
Google Cloud VMware Engine (GCVE)
- VMware SDDC running on Google Cloud Platform bare metal
- Sold, operated & supported by Google and its partners
- Direct access to Google Cloud Platform services
- On-demand, 1yr/3yr reserved Instance flexible consumption
- VMware-validated for operability with Google Cloud Platform
VMware Enterprise Capabilities Delivered as an Azure Service
- VMware SDDC running on Azure bare metal
- Sold, delivered, operated, and supported by Microsoft
- On-demand capacity and flexible consumption
- Operational consistency with on-premises
- Integrated with Azure Portal & Resource Manager
- Seamless, large-scale workload portability
- Global Azure footprint, reach, availability
- Direct access to native Azure services
Since VMware offerings for private and public clouds use the same software with vSphere as the foundation, the same VMware security software suites run in the customers private and public VMware clouds. VMware NSX is at the core of the VMware Multi-Cloud network design securing customer workloads with micro-segmentation, distributed firewall, dynamic security policies, load balancing and VPN tunnels.
The VMware SD-WAN appliance is used to secure the physical underlay site-to-site networks providing a centralized SaaS Orchestrator, end-to-end segmentation, intelligent traffic steering and security policies.
By default, encryption is enabled on the vSAN datastore on VMware Cloud clusters deployed in AWS, Azure and Google using the native hyperscalers KMS. For customer private clouds deployed on premises or in Equinix a KMS provider can be used for vSphere encryption, or the built in vSphere Native Key Provider can provide a simple way for customers to enable encryption without a KMS server.
Carbon Black Cloud provides intelligent threat protection to deliver more effective security for workload VM’s and endpoint devices across sites and clouds. The Carbon Black unified cloud console runs in the public cloud allowing connectivity to all devices from anywhere in the world.
VMware Tanzu Kubernetes with the same security, governance, and integration with NSX gives customers a consistent Kubernetes platform in the private and public VMware clouds. VMware TMC with Observability provides a centralized hub for multi-cloud Kubernetes management and application monitoring.
All of this combined with VMware Workspace ONE for management of endpoints and users can implement zero trust policies enabling user access controlled by the VMware Unified Access Gateway across the entire customer private and public multi-cloud environment.
Using Equinix as the central control and HUB of a multi-cloud network design gives flexibility and consistency for network connectivity between VMware private and public clouds. The ability to quickly bring up direct private network links (up to 10GB) into the hyperscaler instances of VMware Cloud and easily remove these connections provides significant cost and operational benefits to the customer.
With the ability to host customer owned and managed equipment there are added benefits using the Equinix for backup and disaster recovery, whether that is to achieve optimal restoral times, data ownership or for governance and compliance requirements that cannot be met in public cloud environments.
VMware in partnership with Equinix provides a dynamic solution to enable a customer’s multi-cloud business vision.
- For more details on VCF on VxRail solution, please refer to VMware Cloud Foundation on Dell EMC VxRail.
- For more details on VMC on Dell solution, please refer to VMware Cloud on Dell.
- For more details on VMC on AWS solution, please refer to VMware Cloud on AWS – Overview .
About the Author
Jerry Haskins is a Solutions Architect responsible for collaboration of products on the VMware Partner Solutions Engineering Team in VMware’s Office of the CTO. With 20 years+ of experience in the IT Industry he has spent his career in innovative roles managing enterprise networks and datacenters, working with virtualization technologies, micro services, CI/CD workflows and HPC solutions.