Oh Hello VPN-Cubed 2.0

VPN-Cubed 2.0 has arrived. Why 2.0? This release is a direct result of over two years of interaction with our customers understanding the specific requirements of use-cases from various industry verticals and geographies. VPN-Cubed 2.0 represents a major step forward adding functionality like the new Manager Firewall and API compatibility (more on those later).

As Pat outlined in his User Cloud posts (Part 1 | Part 2), cloud computing (of course I'm talking IaaS), is a multi-layer environment with distinct separation of concerns between the physical providers, virtual providers, and the cloud users. VPN-Cubed focuses on the cloud user or cloud tenant. The model for traditional network devices is the big metal boxes we have worked with all these years. On the flip side, virtual networking, driven by the needs of enterprise application topologies, is a new use-case and implementing it takes some real lateral thinking. Virtual networks can be anywhere, anytime and they provide critical control functions for enterprises in the increasingly agile and often anonymous world of virtual/cloud infrastructure. VPN-Cubed 2.0 is the enterprise-ready networking solution for the User Cloud.

What's new in 2.0?
Below are some of the user experience improvements in this release. We have also updated the IPsec subsystem in the Datacenter Connect Editions.

Manager Firewall

We have added firewall capabilities at the Manager level to control traffic into and out of the VPN-Cubed Overlay Network. This adds an additional layer of security and control to your cloud deployments. The Manager Firewall is controlled via the Manager UI using IPTables syntax.

Manager API

The API provides programmatic access to the Manager and the overlay network. Configuration steps previously done via the Manager UI can now be performed via the command line or by script. See the Scriptable Overlay Networks post for more information on how the API can work with Context-Cubed.

The API tool can be downloaded (ZIP | TAR) on the VPN-Cubed Edition pages along with documentation (Cloud Only | Datacenter Connect).

Increased Access to Logs

Links to the logs is now provided via the UI making it easier for users to perform required monitoring and maintenance.

External Ping

Datacenter Connect Editions now come with an External Ping capability for configurations where a nearly permanent IPsec tunnel is required. The External Ping function sets up a continuous ping from the Manager to a destination behind the datacenter-based extranet device. The ping serves to keep the tunnel up by continually sending tunnel traffic.

Topology Naming

Many of our customers have complex deployments with multiple Managers and multiple overlay networks. Topology naming allows alpha numeric naming of individual topologies and Managers displayed on the Manager UI.

All new features are explained in the updated configuration documentation available for download in each Edition's launch instructions section on the website. Visit the VPN-Cubed homepage to see which Edition is right for your use-case.

Welcome to the User-Cloud (Part 2)

Disclaimer: I am talking about IaaS when I use the term "cloud" in this post.

A quick recap from Part 1 where I was outlining what I see as:

The new "separation of concerns"

If you think about it, when you are using a public cloud like Amazon Web Services (AWS) – the team of people running the physical infrastructure have no direct interaction with your application topology; and you don't want them to.

The teams of people running your virtual infrastructure at AWS have ALMOST no interaction with your application topology; and you don't want them to. They see your topology from “below”, they see a clump of x86 VM workloads, and have no knowledge of the semantics of your application topology, and in fact shouldn't.

You, in the user-cloud, know the semantics of your application, you know how it scales, you know where it came from, where it is going, and whether it can migrate from region to region or country to country. And to date you have used either your own self-developed knowledge of EC2, private Eucalyptus, Terremark, etc.., or you used Rightscale or CohesiveFT, or one of the other tooling sets that fit in the category Gartner calls “Cloud Management Platform”.

I believe this is an industry wide trend, and basically creates a new “separation of concerns” in how IT functionality is provided both by vendors and IT staffs, and how IT functionality is consumed (pictured below).

But this gives rise to the question....

Where should my virtual infrastructure and its providers fit in?

We know that a Public Cloud as my underlying physical infra provider cannot take any specific knowledgeful action on my applications, nor do I want them to. It is the same with Public Cloud companies in the role as my virtual infrastructure provider, other than a nominal number of very narrow geographic recovery actions.

What about in my Private Cloud? Today the Private Cloud (agile virtual infrastructures running in my own datacenters or co-lo centers) is often mimicking existing centralized IT behaviors. In this model, a line of business (LOB) or application owner has to go “hat in hand” to centralized IT to make deployments happen.

I would argue this is an evolutionary artifact which will succumb in the face of Enterprise IT successfully evolving into comprehensive virtual infra providers. Imagine if you will, the “private cloud pixies” come overnight and magically transform all of your available x86 hardware stock into one global, integrated/federated, api-driven, virtualized fabric. All of a sudden you would realize how the "frozen chunks of metal" in your physical layer (servers, storage arrays, routers, switches, etc.) had come to define the structure of your business, your control mechanisms, and your attempts at knowledgeful centralization of the application layers. As these devices become only a conveyance for virtualized compute, virtualized storage and virtualized networking – instantly the application layer accelerates to a speed and fluidity that provides poor grasp for IT staff and even less tractable control for an ISV infrastructure that perceives reality from below.

Application owners, managing from “above” know their application, its topology and are best able to deploy it to some set of described resources. These described resources (available VM slots at the simplest) probably are detailed with respect to computer power, memory availability, geography if not legal jurisdiction, storage availability, LAN speed, network edge speed, etc..

The IT operations team (which could report to centralized IT or the LOB) which knows the application best, is best positioned to bring agility and satisfaction to the application owners.

This is the next battleground for the hearts and minds of the buyers of virtual infrastructure in the enterprise. On one hand, public cloud vendors viscerally perceive the new separation of concerns. They do not want their physical infra or virtual infra staff concerned with the discrete details of any one customer's application workload.

Yet, the private cloud vendors and the incumbent virtual infrastructure providers (centralized Enterprise IT) are aligned in wanting to manage the application topology (and accordingly the Line of Business) from the middle as it were. For the IT team running the virtual infrastructure – they are avoiding “giving up” of something they fear to give up. For the virtual infra ISV, they avoid having to find and negotiate with a new buyer. They avoid having to engineer products from the top, that can integrate with their products from the middle.

This picture shows the current trend. Virtual infra providers bringing to market feature sets from the middle (as pictured vDog, vCat and vMagic) putatively to meet the needs of the user-cloud, the cloud tenants.

I don't like this approach. Perhaps, in a self serving sense, I am against this because it means more competition for CFT and others in the Gartner-dubbed "Cloud Management Platform space". But it is more than that. It is a violation of the new and powerful separation of concerns which is playing out quite nicely in AWS / Public Cloud space today and should have its chance in the private cloud space as well.

I am not against the virtual infra ISVs coming up with products for the user-cloud. I am happy for them to deliver a line of “u” products (user-cloud products); uDog, uCat and uMagic that use the public, published APIs of their “v” product counterparts.

What are examples of good "vDogs" or "uDog" counterparts? For one I would say Amazon's SimpleDB. It is a platform service provided from the middle, owned, operated and controlled from the middle - and can be used by application creators to create their own user-cloud applications which they can control. From the same vendor comes a good "uDog", Amazon RDS (Relational Database Service). It is provided at the user-cloud level and it is managed and controlled by the application owner. Another good "vDog" is Amazon VPC (virtual private cloud). Again, it is owned and operated in the midldle, powerful, yet comes with lessened customer control just like its database counterpart. Amazon's ecosystem provides the corresponding "uDog", CohesiveFT's VPN-Cubed; owned, operated, and controlled in the user-cloud level. As I said in my previous post, horses for courses (vHorses?). I won''t point out bad vDogs and vCats here - but they are out there and I recommend thinking through their usage and their violation of the operational planes of control public and private cloud is now affording us.

When we give the cloud application owners control from above, and virtual infrastructure providers stick to managing at the workload level from below, I believe it encourages innovation in enterprise IT organization, innovation in features and functions for managing application topologies, and better interoperability and integration between cloud vendors; whether from the virtual infra or user-cloud perspective.

If we take advantage of the new separation of concerns being afforded us by the emergence of three distinct planes of operational control; physical, virtual and user, then I think we have a chance of maximizing enterprise agility and ROI as they engage in the world of public, private and hybrid cloud infrastructures.

If you are looking for me, you will find me with the rest of the CFT team, in the user-cloud.

Welcome to the User-Cloud (Part 1)

Disclaimer: I am talking about IaaS when I use the term "cloud" in this post.


Welcome to the world of cloud tenancy – where we (we being people who use the cloud as opposed to people who provide the cloud) are shared tenants of increasingly powerful virtual, agile, api-driven and anonymous compute and storage mechanisms. This is an area where I continue to see confusion in how people look at the world of IaaS (hereafter called “cloud” in this post). In the picture below is CohesiveFT's (CFT) simple model of the market structure where we have the physical layer (been around for ever), the virtual infrastructure layer (been around in growing forms for 10+ years, dominated by VMware), and the user-cloud or cloud-tenant layer (relatively new). By user-cloud, I don't mean the end user of the application, rather the person or team responsible for the application topology being run on the cloud.

The new "separation of concerns"

If you think about it, when you are using AWS – the team of people running the physical infrastructure have no direct interaction with your application topology; and you don't want them to.

The teams of people running your virtual infrastructure at AWS have ALMOST no interaction with your application topology; and you don't want them to. The virtual infra provider team might be making snapshots of your VM's and Storage as part of their cloud service. They might do some sort of LAN-based server motion where they move your VM's 10 to 50 feet from Server A to Server B, if it appears Server A is about to fail. Other than that – you don't want their involvement – what could they do? They see your topology from “below”, they see a clump of x86 VM workloads, and have no knowledge of the semantics of your application topology, and in fact shouldn't.

You, in the user-cloud, know the semantics of your application, you know how it scales, you know where it came from, where it is going, and whether it can migrate from region to region or country to country. And to date you have used either your own self-developed knowledge of EC2, private Eucalyptus, Terremark, etc.., or you used Rightscale or CohesiveFT, or one of the other tooling sets that fit in the category Gartner calls “Cloud Management Platform”.

I believe this is an industry wide trend, and basically creates a new “separation of concerns” in how IT functionality is provided both by vendors and IT staffs, and how IT functionality is consumed. The Enterprise IT environment has vacillated for decades between centralize, decentralize, centralize, etc.. This new separation of concerns allows for the gradual evolution of a hybrid IT organization where there is a logical, and purposeful bit of both models.

There are now three distinct control planes; physical, virtual, and customer/user.

Physical infra is a centralized activity, at the very least at the geographic level.

Virtual infra will be centralized at the virtual infra layer, with the newer versions of virtual infrastructure software offering some interesting geographical federation capabilities. It is possible one might be running both VMware and Xen virtual infrastructure globally, and those virtual infra's will likely be in the control of either one IT group, or one IT group per vendor solution.

Application topologies ideally run “when” (in time) and “where” (in geography) they are most useful to a business. This means detailed knowledge of the wants, needs, beliefs, and fears of the consuming business units. If this is a global customer database without a predominant business unit owner – then that application topology itself might be managed by a centralized “common applications” team.

If it is a cornerstone application for a company's Swiss Private Client group – then I am guessing it will be managed by a business line oriented IT group in Switzerland, likely to be running on a piece of Swiss-domiciled virtual infrastructure.

They key here is to realize that there are distinct products/vendors for each layer of your cloud infrastructure, and there are distinct buyers/users for each layer of your cloud infrastructure.

To me this sets up nicely to fit into the UK idiom of “horse for courses”.

*However, in part two of this topic I will address the problematic nature of the new separation of concerns. The gist of the issue is there is a temptation in the “enterprise cloud” or “private cloud” to violate them, not recognizing that there are now consumers of each level's vendor offerings, as well as a desire of course by vendors to be the single source of all cloud computing capabilities for an enterprise (not necessarily a bad thing) by providing one monolithic product that serves all levels (a bad thing).

(pat k)