Enterprises usually have multiple partners for different services and applications. Traditionally, enterprises connected to their partner IT services at their on-prem Data Centers. As the partners migrate their Data Centers to their cloud, the cloud-based solution will be required to connect to the partner IT services and applications. The following things are essential for any enterprise to integrate its network with any partner/third-party network:
- The Enterprise network is segregated from the Partner’s network
- Partners do not see other Partner information
- Enterprises can share shared services with all their partners
- Only expose apps and sub-modules of apps that require partner access to the partner network
- Secure the enterprise to partner communication by inserting a FW for traffic inspection
Figure 1: CSP Native Solution for Partners
Cloud Native Connectivity
Many enterprises have used their Data Centers to build partner connectivity using IPsec connections. Since a lot of these applications are hosted in the cloud, it is required to have a cloud-based connectivity solution to build these connections.
Segmentation & Microsegmentation
Enterprise customers have multiple partners who connect to access the same resources and applications. It is a requirement to maintain the isolation of these networks so that they cannot access non-required resources.
An example could be where applications need to have an ability to communicate with multiple billing partners. In this case since the same resource needs to be able to talk to multiple partners only that communication needs to be allowed and segmentation would be required to make sure partners are not able to communicate with each other.
Enterprise partners have requirements to access certain shared resources, including Active Directory, Authentication, etc., and the enterprise would want this traffic to be inspected through Firewalls.
Overlapping IP addresses
Enterprise customers have partnerships with several entities for business reasons. This could create a challenge of overlapping IP addresses when many entities/partners use the same IP addresses across their network and look to access shared resources or applications.
Alkira Cloud Area Networking for Partners
Alkira Cloud Area Networking is the first global unified multi-cloud network delivered as-a-service. Alkira seamlessly solves connectivity for partners or any third-party entity.
Figure 2: Alkira Cloud Area Networking for Partners
IPsec connections from third-party clients can be built into the Alkira Cloud Exchange Points. Alkira’s solution also allows inspecting and steering traffic between on-premises to cloud or multi-cloud environments.
Figure 3: Resource Sharing based on subnets between partner segment and VPC segment
In the above diagram, Partner 1 and Partner 2 have the same IP address to access the shared resource; hence, NAT is required to ensure communication between the shared resources and the partners. The shared VPC is placed in a separate segment in Segment 4, and the workloads can be shared with other segments using resource sharing.
In the above diagram partner segment has multiple partners connecting and want to be able to access shared resources in the segment 4.
Also, since all partner networks are isolated using segmentation, they can access resources or required workloads. Segment 5 has resources in VPC, and with resource sharing, there is flexibility to share prefixes with other segments.
Alkira Solution Benefits
Alkira can provide isolation of workloads and communication to and from partners. Traffic across segments can be inspected as well. Since a segment represents a unique routing and policy space, maintaining isolation becomes seamless for customers.
Refer to this blog for more details about cloud network segmentation.
Seamless Firewall Integration
Alkira provides seamless integration with vendors like Fortinet, Check Point, Palo Alto and Cisco for traffic inspection for any type of traffic flow. Enterprises get a significant advantage as they don’t have to bring up firewalls depending on traffic flow. Also, functionality like autoscaling comes as part of the solution, which helps to scale up or down depending on the requirements.
For more details, please refer to this blog about multi-cloud inline traffic inspection.
Advanced Overlapping IPs Solution
The Alkira CXPs or cloud exchange points form a networking fabric in the cloud that you can connect to on-premise sites like SD-WAN or standard IPsec sites and connect your cloud networks using native constructs. Once these on-prem sites and cloud networks like VPC or VNets are connected to the Alkira CXPs – where overlapping IP spaces are allowed, Alkira’s policies can be applied network-wide to them, and part of the policy is NAT.
For more details, please refer to this blog about solving overlapping IPs in a multi-cloud environment.
Using the Alkira solution, customers can use the Resource Sharing feature to handle the shared services use case. Resource sharing allows them to choose specific resources by identifying the network prefixes to be shared across two segments and enabling additional capability to allow an inline firewall to inspect the traffic for Resource sharing.
For more details, please check out our blog on resource sharing.
Alkira Cloud Area Networking infrastructure seamlessly provides enterprises with access to partners for different applications.
Reach out and schedule a demo today to learn more about how Alkira can help simplify cloud area networking for your organization. You can also try our Cloud Insights tool for free, giving instant inventory and insights into your cloud networking resources.