Last updated on October 5, 2021.
It’s a challenge for most organizations to find the best ways to build environments that bridge their legacy and newer hybrid or multi-cloud networks.
Whether it’s competitive pressure, time to market, innovation, or the demand for remote work, organizations now have pressing strategic business reasons to shift to the cloud.
But research has shown that the gulf between network and cloud teams can be one of the biggest inhibitors to cloud adoption success.
Recently, A Cloud Guru’s Drew Firment sat down with Padraig O’Connor, a Cloud Center of Excellence (CCoE) network platform engineer for Zurich Insurance Group, and Chris Swinford, a cloud network architect for Kroger. The group uncovered key lessons from their own experiences about how best to connect legacy and cloud networks, as well as how networking pros can best support hybrid cloud adoption.
To help you successfully adopt a hybrid cloud strategy, read on to learn O’Connor, Swinford, and Firment’s advice on:
- Why you should intentionally include networking and security teams in your CCoE and how to do it right;
- How to make the right architecture decisions in the face of existing issues like technical debt and compliance regulations;
- The best resources to use for efficiently getting up to speed on the cloud; and
- Operationalizing the important details of your hybrid cloud implementation.
Read the highlights below or catch the entire ACG webinar on demand.
Give network and security teams a seat at the table
Firment noted that many organizations have used a bimodal approach to manage both the network and security. Perhaps that worked well in the past; today, it results in siloed teams.
He characterized the typical directive from cloud teams to network teams as something like this:
“They’re like, ‘Okay, you know, you keep managing the data centers. Don’t worry your pretty little head about what we’re doing over here in the cloud. Just keep the lights on,” Firment said. “We’re going to go ahead and hire these new whatever hires that are over here that are cloud data. And they’re going to build this new cloud thing for us. And then when we’re ready, we’ll sort of deprecate, and you will move forward.’ Well, I mean, that’s asinine, right?”
Implementing today’s cloud technology requires far more cross-team collaboration.
A common approach: A Cloud Center of Excellence
There are numerous strategies that CIOs and IT leaders can employ to help bridge the divide between network and cloud teams.
Creating a Cloud Center of Excellence (CCoE) to attain strategic and operational alignment among all of your teams responsible for cloud transformation is a common approach. Done right, a CCoE fosters cross-collaboration that can minimize inefficiencies, duplication, and potential obstacles when architecting a hybrid cloud environment.
But what you don’t want, Firment notes, is “an echo chamber of a bunch of folks pontificating about cloud-native architecture without the reality of the hybrid world.”
‘Intentional inclusion’ of traditional teams
Whether a CCoE or some other construct, the panelists agreed that it’s most critical to bring an organization’s traditional networking and security experts into the fold. After all, they are the ones who are intimately familiar with how traffic flows through legacy data centers,
“It’s a very intentional inclusion of those traditional teams,” Swinford says. “They’re not necessarily on the cloud team, but they all have a seat at the table.”
Firment recounts from his own experience that including network and security teams provides a sanity check. It has helped him ensure the cloud team wasn’t trying to take on more than was possible given the reality of their network configurations.
“It also helped to connect the dots to the actual individuals and teams that were still working in the data centers,” he says. “And made them feel like, ‘Hey, there is a path forward. We’re gonna bring you along. You are valued, your skills are valued.’”
Don’t hire new; pluck from within
After Zurich announced the stand-up of their CCoE, O’Connor recalled that he and his colleagues were left wondering whether that meant they would get special assignments to it or if there would be a slew of new hires.
As Zurich’s BlueCat subject matter expert, O’Connor was responsible for all the company’s DNS infrastructure and deploying it out to the cloud, all while still part of his legacy networking team. The CCoE realized they were lacking in those skills and came calling.
O’Connor suggests always plucking from within your organization first.
“When it came down to, ‘Oh, we need a network guy,’ it’s like, ‘Oh, well, we have a team of people here who are responsible for the firewalls that our cloud networks hang off and all of the IP address management that our cloud networks hang off. Surely we should get one of those guys.’
“Fair play to the cloud team, because an awful lot of people would just go out and hire externally for that role.”
Architect amid technical debt and compliance regulations
A rare greenfield company with a clean technology slate is well-positioned to go full speed ahead with cloud implementation.
On the other hand, and far more commonly, brownfield organizations, especially in highly regulated industries, carry technical debt and scrutiny. That can make architecture decisions complicated. Meanwhile, cloud teams want to deploy DNS like they’re only limited by the CSP’s capabilities.
O’Connor recounts his own experience with these complexities at Zurich.
“I’m in that position where I’m trying to say, ‘Oh, well, we can’t do it this way. And we can’t do it that way.’ And everyone in the build is saying, ‘Well, why? Like, Azure does it this way. And AWS does it that way,’” he said.
“You’re going to find yourself, as a network engineer—especially if you’re coming out of legacy or out of on-prem—you’re going to find yourself in a lot of very awkward conversations about ‘How do we get around this compliance policy?’”
Indeed, Swinford faces similar challenges at Kroger.
“If you are cloud-native, if you’re a startup and you don’t have 100 years of legacy behind you that you need to tie into, that’s great,” Swinford says. “But when you’ve got PCI [payment card industry] and HIPAA and all these other things that you need to worry about, it’s less about this new shiny thing that I can quickly deploy into and more about this is another data center that just so happens to have a lot of tools that I can use. But I still have to live within my compliance-based world.”
Use the right resources to get up to speed on cloud
The panelists offered four primary tips for network pros on getting up to speed on the cloud.
Don’t roll your eyes at the certifications. Experience counts, but CSP certifications are also vital. “I picked up far more when it came to understanding the networking in Azure by sitting through the AZ-500 learning materials,” O’Connor says.
Look at security certifications in particular. These tend to include deeper technical skills like role-based access, blocking traffic, user-defined routing, and service tags and can feel less like a sales pitch, O’Connor noted.
Take advantage of CSP-offered quick starts. The three big CSPs all offer free templates to get started with automated deployment of your cloud architecture. Swinford noted that they’re an easy way to essentially take self-guided tours.
Practice in a lab. Much like yesterday’s labs that were a mess of experimentation with cables and routers, do the same for the cloud. For example, build AWS virtual private cloud (VPC) networks with virtual machines and try to connect them. “You’ve got to log in, you’ve got to build something,” Firment says. “Follow the instructions and then do it without the instructions a few times until you kind of get comfortable with tearing it down and building it back up again.”
Think through the tactics to connect your environments
While a hybrid cloud strategy can look great on presentation slides, it doesn’t always align with reality. Cloud DNS can be difficult to stitch together with on-premises DNS. Visibility and control are often lost.
Get mired in the networking-related details
It’s important to ensure that your execution plan matches your strategy. To do that, look to the pros from all sides of your CCoE.
Firment notes there are a bevy of detailed networking-related tactical questions to consider. Each needs a real solution to operationalize:
- How are IP addresses used in VPCs or Azure virtual networks (VNets)?
- How are virtual networks VPCs or VNets being managed? Who has that responsibility–is it the cloud team, the networking team, or both?
- Do both cloud and networking teams have their own IP address management tools?
Choose the right deployment tools (like BlueCat)
Choosing the right deployment tools is critical. In O’Connor’s case, Zurich handles IP address management in a multi-cloud environment with the help of the BlueCat platform to answer these questions.
More specifically, Zurich typically assigns /15’s to each CSP. They give the CCoE rights to reserve subnet blocks to associate the VNets and VPCs. The team also uses Gateway automation to add DNS records as part of the build pipeline for virtual machines in any cloud environment.
“We’re still very early in our path to maturity. We’re still working on our automation of firewalling and more detailed automation of that DNS stuff,” O’Connor said. “But that product gives us a great degree of freedom, because we can literally give the CCoE team access to only the area of the network that we want them to manage. They don’t need to see anything else.
“And they get programmatic API access to that same area based on exactly the same permission set using exactly the same core management infrastructure,” O’Connor added.
It’s this level of detail that you eventually need to prepare for.
P.S.: Learn more about how the BlueCat platform can help you take the next step with hybrid cloud management.