Networking for the Cloud with Alkira Cloud Network as-a-Service
The Alkira Cloud Services Exchange® (Alkira CSX) serves as a foundation for Alkira Cloud Network as-a Service. It consists of a highly available and resilient cloud backbone of globally interconnected Alkira Cloud Exchange Points (Alkira CXPs), virtual multi-cloud points of presence with a full routing stack and network services capabilities, and an Alkira CSX Portal.
Users, sites, data centers, regional SD-WAN fabrics, colocations, public clouds, network and security services, and SaaS/Internet exit points connect to the global network through the geographically closest Alkira Cloud Exchange Point™.
Integrated stateful security services coupled with end-to-end segmentation capabilities offered by the Alkira CSX, allow enterprises to consistently secure on-premise, hybrid and multi-cloud environments. The Alkira Cloud Services Exchange Portal offers a modern graphical interface for all design, provisioning, and day-2 operational needs.
Figure 1: Alkira Cloud Network as-a-service
Cloud Networking Solution Use Cases
Connect Users and Sites to Public Clouds
Alkira Cloud Backbone, part of Alkira Cloud Services Exchange offers high-speed, low-latency transport between remote users, on-premises sites and cloud instances. On-premise sites can be a mix of home offices, branch offices, campuses, data centers and colocation facilities. Public cloud instances can be a mix of AWS VPCs, Microsoft Azure VNets and GCP VPCs. Public cloud workloads can also reside in a single public cloud across one or multiple geographic regions.
- Organizations looking to provide remote VPN access to cloud instances can do so by leveraging Alkira elastic zero trust network access solution. Remote users establish SSL VPN connection to the closest Alkira Cloud Exchange Point where the service has been instantiated. Access policy is enforced at the point of connectivity through [micro] segmentation and optional firewall inspection. Alkira solution minimizes the use of last-mile Internet by allowing remote VPN users to hop on Alkira’s high speed low latency global cloud backbone at the closest location, which improves overall network performance
- Organizations looking for the simplest method of connecting on-premises sites to public cloud resources can do so by leveraging IPsec tunnels over the Internet. IPsec tunnels are provisioned at each remote site router and terminated at the geographically closest Alkira Cloud Exchange Point. The Alkira solution generates the required configuration to be applied to the remote site router
- Organizations wishing to continue relying on MPLS for providing WAN connectivity between on-premises sites can still leverage Alkira solution for cloud connectivity. In this case, regional hand-offs are established between the MPLS network and the closest Alkira Cloud Exchange Points by leveraging IPsec tunnels over Internet
- Organizations deploying SD-WAN fabric can leverage automated connectivity to public cloud resources through the Alkira Cloud Services Exchange. The SD-WAN fabric is automatically extended into one or more Alkira Cloud Exchange Points of your choosing. This allows creating regional hand-offs between the SD-WAN fabric and the Alkira Cloud Services Exchange to access the connected cloud instances. Alkira solution also supports connecting together multiple regional SD-WAN fabrics from a single or different vendor, which expedites mergers and acquisitions or divestitures SD-WAN segmentation is seamlessly extended into the Alkira cloud backbone, maintaining overall segmentation between SD-WAN connected on-premise sites and the public cloud instances, as well as the between public cloud instances themselves
- Organizations leveraging colocations for cloud connectivity can leverage the AWS Direct Connect service to connect to the closest Alkira Cloud Exchange Point. Once connected, organizations can access all cloud instances (AWS, Microsoft Azure and GCP) globally connected to the Alkira Cloud Services Exchange
Based on the specifics of the network design, organizations can leverage all methods of connectivity between remote users, on-premises sites and public cloud instances at the same time. Security in the form of encryption, end-to-end network segmentation and firewall service insertion is provided for all means of connectivity between remote users, on-premises sites and public cloud instances connected to the Alkira solution.
Figure 2: Users, Sites and Public Clouds
Single Cloud and Multi-Cloud Networking
Alkira Cloud Services Exchange offers high-speed, low-latency cloud backbone connecting all public cloud instances. Public cloud instances can be a mix of AWS VPCs, Microsoft Azure VNets and GCP VPCs. Public cloud instances can also reside in a single public cloud across one or multiple geographic regions.
Alkira CSX automatically discovers AWS VPCs, Microsoft Azure VNets and GCP VPCs based on the cloud credentials provided by the administrator. Once discovered, an administrator can simply select the desired cloud instances to be connected to the Alkira Cloud Services Exchange. After the network has been provisioned, Alkira Cloud Services Exchange automatically distributes the required network reachability, so all public cloud instances can immediately communicate to each other.
Figure 3: Cloud Networking
Based on the design requirements, organizations can insert network services, such as stateful firewalls, into the Alkira Cloud Services Exchange and leverage Alkira intent-based policies to steer the desired traffic between single or multi-cloud instances to the network services nodes.
Regional SaaS/Internet Access
Alkira Cloud Services Exchange offers regional Internet exit points for optimal access to Internet resources and SaaS applications. The exit points are distributed throughout the global reach of the Alkira Cloud Services Exchange. Organizations can decide on whether to allow or disallow SaaS/Internet access. If such access is allowed, it will be delivered at the geographically closest Alkira Cloud Exchange Point where particular remote sites or public cloud instances are connected.
Alkira intent-based policies can be leveraged to provide application-aware security policy to deny non-business critical application traffic based on deep packet inspection capabilities in the Alkira Cloud Exchange Points. Application traffic can also be forwarded to the next generation firewalls instantiated in the Alkira Cloud Exchange Points for further inspection. Organization can leverage both appliction-aware security policy and the firewall inspection in any given design.
The use of geographically distributed SaaS/Internet access coupled with stateful cloud firewall security eliminates the latency penalty experienced by the users at remote sites when such traffic is backhauled through the data center.
Figure 4: Secure Regional SaaS/Internet Access
Alkira Cloud Services Exchange offers end-to-end network segmentation capabilities that allow grouping remote users, on-premises sites, public cloud instances, network services and SaaS/Internet exit points into a specific network connectivity segments. Once defined, segments immediately span the entire global multi-cloud network provisioned across the Alkira Cloud Services Exchange.
All segments are fully isolated from each other, however, certain design scenarios call for inter-segment connectivity to accommodate application services shared across segments. The use cases around inter-segment connectivity are mergers and acquisitions, divestitures, partner connectivity and IT-as-a-service.
For organizations leveraging the SD-WAN solutions, SD-WAN segmentation can be seamlessly extended into the Alkira Cloud Services Exchange. It creates a contiguously segmented environment, even for cases where the SD-WAN fabric does not provide full end-to-end connectivity.
The concepts of segmentation are also extended to the network services nodes provisioned in Alkira Cloud Services Exchange. This allows network services nodes, like the next generation firewalls to inspect the traffic within a given segment [micro-segmentation] or across multiple segments
Figure 5: End-to-End Segmentation
Steps To Establish Global On Demand Cloud and Multi-Cloud Network Connectivity
Registering for Alkira Service
Registering for Alkira service is the first step to enabling global on demand cloud and multi-cloud connectivity.
- Navigate to https://www.alkira.com and register your company
- Click on the link in the registration confirmation email and create an administrative account
- Log into Alkira portal to start designing your network
Point-and-Click Global On Demand Multi-Cloud Network
With Alkira Cloud Network as-a-Service, your cloud and multi-cloud network is offered as-a-service, on demand, when and where you need it. You do not need to procure any additional hardware equipment (just use your existing routers), install any additional software or learn any cloud architecture. Your entire global network is modeled through the intuitive Alkira Portal in a point-and-click fashion.
- Select on the global map the locations in which your network is present. Alkira Cloud Exchange Points (Alkira CXPs) are geographically distributed around the world. Your cloud and on-premise locations are never too far from our closest point of presence
- Point-and-click to discover and connect your existing public cloud instances to the closest Alkira Cloud Exchange Point. We currently support AWS VPCs, Microsoft Azure VNets and Google Cloud Platform VPCs. Once connected, all cloud instances can immediately communicate with each other across the Alkira Cloud Services Exchange
- Point-and-click to connect your remote users and on-premises sites to the closest Alkira Cloud Exchange Point for optimal secure cloud networking. Your on-premises sites can be any combination of home offices, branches, campuses, data centers, colocation facilities, etc. We currently support SSL, IPsec, SD-WAN and AWS Direct Connect as methods of last mile connectivity. Once connected, all remote users and on-premises sites can immediately communicate with all connected cloud instances
- Optionally, add SaaS/Internet access with Cloud Firewall security. SaaS/Internet access will be optimally provided through the closest Alkira Cloud Exchange Point to eliminate any data center backhaul latency penalties or cause data center network bandwidth starvation
- Optionally, create additional network segments. Once created, segments span the entire global network and provide end-to-end isolation. Remote users, on-premises sites, cloud instances, network services and SaaS/Internet exit points can be mapped to a particular segment. For SD-WAN, SD-WAN segmentation can be extended into the Alkira Cloud Services Exchange. You can now move your compliance and sensitive secure applications to cloud with confidence
The Alkira Cloud Services Exchange fully embraces cloud-native constructs of the public clouds while eliminating restrictive cloud and multi-cloud network and security limits organizations may encounter when configuring cloud networking in a do-it-yourself fashion.
Provisioning the entire global on demand multi-cloud network is done in a single click. Alkira Cloud Services Exchange will automatically instantiate all the necessary elements required to establish global on demand multi-cloud network connectivity (and network services), based on the previously created point-and-click design. Alkira service billing will start incurring charges after all cloud infrastructure elements have been provisioned.
Based on the extent of network design, for example the number of geographic locations, remote sites, public cloud instances and network services, the provisioning cycle oftentimes takes less than an hour. Alkira Portal provides a progress bar to keep you updated on the provisioning cycle. Your global multi-cloud network is ready for use immediately after the provisioning cycle completes.
Alkira Cloud Network as-a-Service allows organizations to turn networking and security from a business inhibitor to a business enabler, while providing the following main benefits.
- Faster time to cloud reduces deployment time from months to minutes in full alignment with business SLAs
- High bandwidth, low latency network between remote users, on-premises sites, public clouds (AWS, Microsoft Azure and GCP) and SaaS/Internet applications, and between multiple public clouds or multiple regions of the same public cloud
- Eliminate cloud-specific limitations by building a multi-region, multi-cloud overlay network, leveraging cloud-native and advance routing and security constructs
- Global security policy enforcement by leveraging firewalls of choice and global symmetric traffic steering
- Elasticity to accommodate on demand capacity, e.g. periodic high-volume data transfers, seasonal retail customer uptake, etc.
- End-to-end segmentation between remote sites, public cloud instances, cloud network services and SaaS/Internet exit points for compliance and sensitive or secure applications
- Pay as you go/subscription consumption cost model to ensure customers are charged for only the network and network services resources they actually consume
- High availability and resiliency backed up by high uptime service guarantee
- Full visibility to eliminate operational blind spots and improve day-2 operations
Alkira® Network Cloud, powered by Alkira Cloud Services Exchange®, is industry’s first solution offering global unified network infrastructure as-aservice. With Alkira, enterprises can have a consistent and significantly simplified experience deploying a global cloud network for end-to-end and any-to-any network connectivity across users, sites, and clouds with integrated network and security services, full day-2 operational visibility, advanced controls, and governance. The entire network is drawn on an intuitive design canvas, deployed in a single click and is ready in minutes!
The Network. Reinvented for Cloud.®