1. Introduction
In this document, a radically novel approach is proposed to manage the cloud and on-premise compute infrastructure using seamless and fully secure multi-cloud networking, as provided by the Camphor Networks Platform. Using this novel architecture, users can not only bring the cloud costs down, but they can also deploy applications seamlessly across on-premise and public clouds as appropriate.
Sounds exciting ? Watch these videos to have a look at this novel technology working seamlessly!
2. Background
One of the key elements of public clouds is compute resources (Virtual Machines). Typically cloud providers offer virtual machines and price them based on vCPUs, Memory and Disk usage. More the compute resources consumed, the higher the cost associated. Also, all computes used are only rented and users do not get to own any compute power as such as the end of the billing cycle.
The beauty of the cloud lies not only in scalable compute resources that are provided, but tons of other features associated with them such as Security Groups (Firewalls), Identity Management, Policy Management, SSH Key-Pair Management, Cloud Monitoring, etc. All these features typically tie the users to the cloud for good, this amplifying profits to the cloud providers in the long run.
3. Multi-Cloud Architecture
Typically, on-premise resources and cloud resources are connected over a cloud-vpn gateway (which incurs additional cost btw!). These are managed by IT organizations and usually pose performance bottle-necks as well. Due to the way applications get tied to the myriad of features provided by cloud as mentioned before, organizations typically cannot avail much of the on-premise resources at all, even though there could be plenty of cpu/memory/disk available for computation on-premise (or in third-party co-located spaces such as data-centers)
4. Camphor Multi-Cloud-Networking Gateway based Architecture
Using Camphor Networks Platform Software, users now deploy seamless applications across public-cloud and on-premise networks seamlessly in a fully secure manner. Using the camphor multi-cloud gateway, essentially a public cloud virtual machine can be mirrored over the Internet securely to an on-premise compute VM. This radically new idea allows users to consume virtual machines instantiated in public-cloud as if they are hosted on-premise in the networks of their choice yet fully avail all other associated features of the public cloud.
Camphor Multi Cloud Gateway Architecture Diagram
In Camphor architecture, you can instantiate Virtual Machines in your favorite public cloud such as aws, GCP, Azure as you normally do using the same existing workflow. Since computes become very expensive, especially in the long run, you can choose to use bare-minimum flavor based instances such as t3-micro in aws that provides 1 vCPU and 1GB of memory only. In practice, this VM is of not much practical use. However, camphor-multi-cloud-gateway can transform this instance seamlessly in a fully TLS 1.3 based secure manager onto a corresponding on-premise based virtual-machine (or bare metal) instance.
All traffic that ingresses cloud VM instances shall be securely transported to its on-premise counter part instance. All traffic egressing out of the on-premise instances shall be securely transported back to the public instance. This allows complete flexibility into the amount of resources that on-premise compute instances can provide.
In the above example, t3.micro instance in aws costs around $10 per month ($7 For the instance + $3 for a public IP address). However, the actual compute capacity available for applications deployed on this instance will be that of the on-premise counterpart. In this example, users will get 32 vCPU with 64 GB of memory! To just to give you an idea, cloud cost for the same amount of resource based instance (c3.8xlarge) amounts to a staggering $1,210 per month!
It must be noted that all traffic egressing the public cloud shall incur an additional cost of $0.09 per GB. If a lot of network traffic is to be sent from the on-premise instance to the cloud instance, this additional cost comes into the cost equation. So, how can we optimize this ?
Camphor Networks based multi-cloud-gateway further optimizes the proposed solution. It ensures that all traffic between such proxied instances always stays local using novel SDN based networking. In other words, if different instances on-premise exchange data, they don’t go through the cloud gateway. Instead, they directly reach the target instances over a local (overlay) Camphor SDN based network.
This keeps network egress cost to a minimum. Only those traffic that needs to go to the cloud network will be egressing over the Internet via cloud gateway, not otherwise.
5. Storage Management
One of the key features provided by public-cloud is elastic storage management (such as EBS in aws-ec2). In camphor, the instances proxied since running on-premise will lack this ability. However, camphor multi cloud gateway provides a seamless and secure way to NFS mount list of desired partitions from the cloud instances into their on-premise counterparts. This allows applications to write data into persistent volumes like they normally do, thus retaining cool storage aspects such as instance snapshots.
6. IP Addresses Management (IPAM)
Cloud provides excellent IPAM, typically using DHCP. VMs get private addresses for one or more interfaces (called subnets) which can be then used to communicate across VMs, with those in the same subnet and with those that are not, through VPC Cloud router. This excellent networking service can be fully availed using Camphor MCN Gateway Technology as the on premise counterpart VM will continue to live on those subnets, get those exact same IP addresses via DHCP from the cloud router and will continue to talk to the cloud routers like they normally do when they reside inside the cloud.
7. Security Groups/Firewalls
Security Groups or Firewalls are one of the key features of public cloud. Using these, users can customize the traffic allowed to pass through the instance ingress and egress in a very flexible and secure manner. Camphor MCN Gateway technology fully complements this. Users will be entitled to continue using them as they normally do. All traffic that actually hits the eventual on-premise counterpart will have to be blessed by the cloud provided security groups/firewalls.
8. Identity Policy Management
In public clouds, VMs launched inside the cloud can be seamlessly associated with IAM Policies in an extremely granular fashion. This allows users to control various cloud resources access strategies in an effective manner. Using camphor MCN Gateway technology, users continue to avail this. For example, if an instance is supposed to get direct access to cloud storage (such as S3 Buckets) without any extra authentication token management, that continues to apply to on-premise based counterpart VMs as well. This is possible because on-premise based VM is effectively the cloud based VM from the cloud perspective. This allows users to continue enjoying the cloud IAM policies yet have the applications actually run inside on-premise VM counterparts.
9. Metadata Service
One of the key aspects of cloud VMs is ready access to a metadata service, typically over a link local address egressing into the cloud gateway. This key feature enables boot-straping, custom data injection, etc. in a very simple yet secure manner. This amazing capability continues to work in camphor MCN based instances as well, because the link-local packets are also security transmitted to the cloud gateway as if they originated from the cloud VM.
10. Cloud Monitoring
Another useful feature of Cloud based VMs are easy and scalable monitoring and alarm infrastructure. This while works for non-cloud VMs also, it typically readily works over the link local service described above in a seamless manager, without the need to explicitly manage authentication. This aspect can be fully leveraged in the camphor MCN based architecture. Custom metrics can be published by the on-premise VM counterparts to cloud watch monitoring infrastructure.
11. On-Premise Virtual Machines Management
In Order to effectively use camphor MCN gateway based technology, on-premise counterpart VM instances must be carefully managed. Based on customer environments, this differs from type to another.
Camphor MCN Software can work in a variety of environments as it is microservice based. All users need to do is run a simple container during the launch of the VM with the cloud VM counterpart public-ip address and RSA Private key to access. This micro-service will set up all the required elements in order to security transmit the data to cloud instance counterparts in a very efficient manner. It also manages optimized dataplane for traffic exchanged between on-premise instances without having to go through the cloud gateway.
Also readily deployable terraform based configuration shall be provided to instantiate and manage in various environments such as Openstack, VMware-vCenter, Libvirt, etc. on the on-premise side and aws, GCP, Azure, etc. on the public cloud side
12. Use Cases
Any cloud based compute heavy applications deployment scenarios is an excellent use case to deploy the Camphor MCN Gateway architecture. Further, if GPU and other hardware needs to be utilized which is quite prevalent in modern applications, this architecture bodes very well indeed and dramatically reduces the cloud cost. This is so because customers get to install whatever hardware that they need to, without having to pay a higher premium to the public cloud provider, yet continue to leverage all other aspects of the cloud. In fact, by carefully designing autoscaling groups, users can fully leverage both cloud and on-premise resources in a highly optimized manager, to get best overall performance at optimal cost.
- Network/Application Load Balancer
One typical use case is to employ a cloud load balancer to attract customer traffic. The back end workloads can be distributed across cloud and on-premise instances easily using the camphor MCN Gateway technology outlined above.
- GPU for AI Data Processing
AI Data mining GPUs are very expensive in the cloud. Cloud providers keep a significant margin when providing such infra to the users. In Camphor MCN, users can avail on-premise based GPUs in their computes in a fully flexible manager!
- Kubernetes
One of the key features of public cloud is a fully managed Kubernetes service. The cloud manages the Kubernetes control plane typically for a fixed fee per cluster, such as $75. The key cost comes from the compute nodes which actually host the kubernetes workload containers. These workloads are typically cloud based VMs. For such VMs, Camphor MCN Gateway technology can be used to totally change the cost equation. Today, camphor networks support seamless deployment with Elastic Kubernetes Service (EKS) provided by aws, Google Kubernetes Engine (GKE) provided by Google. Others such as Azure’s and Oracles’ are in the pipeline and will be available shortly.
13.0 Performance Characteristics of the Multi-Cloud Gateway
Source VM: GCP (Los Angeles) e2-medium (2 vCPUs + 4 Gib) (Equivalent to On-Premise OpenStack VM with unlimited capacity)
Dest VM: aws (Ohio) t3.micro (2 vCPUs + 2 Gib)
Through Camphor Multi Cloud Gateway Proxy VM in aws (Ohio) t3.large (4 vCPUs + 16 Gib)
From GCP (Los Angeles) to aws (Ohio) instance private address 1.2 GiBits/sec # Through the secure camphor-mcn-gateway at 42% single vCPU peak Utilisation. If tested directly against the target instance using target’s public IP address, 3.82 GiBytes bit rate was achieved.
Here is Metadata as received from the local-provider (GCP) in this case.
curl -sf –interface ens4 -H “Metadata-Flavor: Google” http://169.254.169.254/computeMetadata/v1/instance/network-interfaces/0/ip
10.168.0.2
Here is the metadata as received from the remote-provider from the same VM! Isn’t this really cool!
curl –interface cneth1 -sf http://169.254.169.254/latest/dynamic/instance-identity/document
{
“accountId”: “369398234234”,
“architecture”: “x86_64”,
“availabilityZone”: “us-east-2a”,
“billingProducts”: null,
“devpayProductCodes”: null,
“marketplaceProductCodes”: null,
“imageId”: “ami-09040d770ffe2224f”,
“instanceId”: “i-0e492bb61b46ba190”,
“instanceType”: “t3.small”,
“kernelId”: null,
“pendingTime”: “2024-06-06T23:40:19Z”,
“privateIp”: “172.31.1.186”,
“ramdiskId”: null,
“region”: “us-east-2”,
“version”: “2017-09-30”
}