Skill

SkillsDevOps & Infrastructure › Cloud & deployment

hybrid-cloud-networking

Configure secure, high-performance connectivity between on-premises infrastructure and cloud platforms using VPN and dedicated connections. Use when building hybrid cloud architectures, connecting data centers to cloud, or implementing secure cross-premises networking.

Freerisk: medium
hybridcloudnetworkinggcpterraformazureaws

The full skill

— name: hybrid-cloud-networking description: Configure secure, high-performance connectivity between on-premises infrastructure and cloud platforms using VPN and dedicated connections. Use when building hybrid cloud architectures, connecting data centers to cloud, or implementing secure cross-premises networking. — # Hybrid Cloud Networking Configure secure, high-performance connectivity between on-premises and cloud environments using VPN, Direct Connect, ExpressRoute, Interconnect, and FastConnect. ## Purpose Establish secure, reliable network connectivity between on-premises data centers and cloud providers (AWS, Azure, GCP, OCI). ## When to Use – Connect on-premises to cloud – Extend datacenter to cloud – Implement hybrid active-active setups – Meet compliance requirements – Migrate to cloud gradually ## Connection Options ### AWS Connectivity #### 1. Site-to-Site VPN – IPSec VPN over internet – Up to 1.25 Gbps per tunnel – Cost-effective for moderate bandwidth – Higher latency, internet-dependent “`hcl resource "aws_vpn_gateway" "main" { vpc_id = aws_vpc.main.id tags = { Name = "main-vpn-gateway" } } resource "aws_customer_gateway" "main" { bgp_asn = 65000 ip_address = "203.0.113.1" type = "ipsec.1" } resource "aws_vpn_connection" "main" { vpn_gateway_id = aws_vpn_gateway.main.id customer_gateway_id = aws_customer_gateway.main.id type = "ipsec.1" static_routes_only = false } “` #### 2. AWS Direct Connect – Dedicated network connection – 1 Gbps to 100 Gbps – Lower latency, consistent bandwidth – More expensive, setup time required **Reference:** See `references/direct-connect.md` ### Azure Connectivity #### 1. Site-to-Site VPN “`hcl resource "azurerm_virtual_network_gateway" "vpn" { name = "vpn-gateway" location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name type = "Vpn" vpn_type = "RouteBased" sku = "VpnGw1" ip_configuration { name = "vnetGatewayConfig" public_ip_address_id = azurerm_public_ip.vpn.id private_ip_address_allocation = "Dynamic" subnet_id = azurerm_subnet.gateway.id } } “` #### 2. Azure ExpressRoute – Private connection via connectivity provider – Up to 100 Gbps – Low latency, high reliability – Premium for global connectivity ### GCP Connectivity #### 1. Cloud VPN – IPSec VPN (Classic or HA VPN) – HA VPN: 99.99% SLA – Up to 3 Gbps per tunnel #### 2. Cloud Interconnect – Dedicated (10 Gbps, 100 Gbps) – Partner (50 Mbps to 50 Gbps) – Lower latency than VPN ### OCI Connectivity #### 1. IPSec VPN Connect – IPSec VPN with redundant tunnels – Dynamic routing through DRG – Good fit for branch offices and migration phases #### 2. OCI FastConnect – Private dedicated connectivity through Oracle or partner edge – Suitable for predictable throughput and lower-latency hybrid traffic – Commonly paired with DRG for hub-and-spoke designs ## Hybrid Network Patterns ### Pattern 1: Hub-and-Spoke “` On-Premises Datacenter ↓ VPN/Direct Connect ↓ Transit Gateway (AWS) / vWAN (Azure) ↓ ├─ Production VPC/VNet ├─ Staging VPC/VNet └─ Development VPC/VNet “` ### Pattern 2: Multi-Region Hybrid “` On-Premises ├─ Direct Connect → us-east-1 └─ Direct Connect → us-west-2 ↓ Cross-Region Peering “` ### Pattern 3: Multi-Cloud Hybrid “` On-Premises Datacenter ├─ Direct Connect → AWS ├─ ExpressRoute → Azure ├─ Interconnect → GCP └─ FastConnect → OCI “` ## Routing Configuration ### BGP Configuration “` On-Premises Router: – AS Number: 65000 – Advertise: 10.0.0.0/8 Cloud Router: – AS Number: 64512 (AWS), 65515 (Azure), provider-assigned for GCP/OCI – Advertise: Cloud VPC/VNet CIDRs “` ### Route Propagation – Enable route propagation on route tables – Use BGP for dynamic routing – Implement route filtering – Monitor route advertisements ## Security Best Practices 1. **Use private connectivity** (Direct Connect/ExpressRoute/Interconnect/FastConnect) 2. **Implement encryption** for VPN tunnels 3. **Use VPC endpoints** to avoid internet routing 4. **Configure network ACLs** and security groups 5. **Enable VPC Flow Logs** for monitoring 6. **Implement DDoS protection** 7. **Use PrivateLink/Private Endpoints** 8. **Monitor connections** with CloudWatch/Azure Monitor/Cloud Monitoring/OCI Monitoring 9. **Implement redundancy** (dual tunnels) 10. **Regular security audits** ## High Availability ### Dual VPN Tunnels “`hcl resource "aws_vpn_connection" "primary" { vpn_gateway_id = aws_vpn_gateway.main.id customer_gateway_id = aws_customer_gateway.primary.id type = "ipsec.1" } resource "aws_vpn_connection" "secondary" { vpn_gateway_id = aws_vpn_gateway.main.id customer_gateway_id = aws_customer_gateway.secondary.id type = "ipsec.1" } “` ### Active-Active Configuration – Multiple connections from different locations – BGP for automatic failover – Equal-cost multi-path (ECMP) routing – Monitor health of all connections ## Monitoring and Troubleshooting ### Key Metrics – Tunnel status (up/down) – Bytes in/out – Packet loss – Latency – BGP session status ### Troubleshooting “`bash # AWS VPN aws ec2 describe-vpn-connections aws ec2 get-vpn-connection-telemetry # Azure VPN az network vpn-connection show az network vpn-connection show-device-config-script # OCI IPSec VPN oci network ip-sec-connection list oci network cpe list “` ## Cost Optimization 1. **Right-size connections** based on traffic 2. **Use VPN for low-bandwidth** workloads 3. **Consolidate traffic** through fewer connections 4. **Minimize data transfer** costs 5. **Use dedicated private links** for high bandwidth 6. **Implement caching** to reduce traffic ## Related Skills – `multi-cloud-architecture` – For architecture decisions – `terraform-module-library` – For IaC implementation