Amazon virtual private clouds go global
Adds real private links and identity management
Online retailing giant and cloud-computing pioneer Amazon is rolling out its Virtual Private Cloud (VPC) service to its data centers around the world. At the same time, it's giving customers dedicated private links into the cloudy infrastructure from their own premises, as well as an identity-management front end for the clouds that integrates with existing systems running at brick-and-mortar data centers.
The Amazon Web Services unit of the online retailer debuted its first VPC offering two years ago, allowing for chunks of the EC2 compute cloud to be carved out and isolated from other customers and to be linked to via an IPsec encrypted virtual private network (VPN) over the internet.
The original VPC offering required data centers to have VPN hardware and software, which was extended to the Amazon cloud. In March of this year, Amazon tweaked the VPC offering to give customers control over IP address ranges, subnets, and configuration of route tables and network gateways, just as they would have in their own data center. This allowed them to, for instance, create one subnet for web servers that sit on the internet and another subnet for applications and databases that do not.
The other change was that companies that do not have all this internal VPN gear – perhaps because AWS is their data center – could still set up VPN access to EC2 compute and S3 storage clouds with the VPC front end.
A few weeks later, Amazon went one step further and offered dedicated instances for VPC customers – literally pinning virtual workloads to specific servers in its data centers and turning a multi-tenant public cloud into what amounts to a hosted private cloud.
With Thursday's enhancements, AWS is extending the Virtual Private Cloud service to run across in its data centers in Dublin, Ireland (serving Europe), and Singapore and Tokyo (serving the Asia/Pacific region). The two data centers Amazon operates in Boardman, Oregon and Ashburn, Virginia already serve the east and west coasts of North America.
Amazon is also allowing for the networks in the corporate data center as well as those in branch offices to all be linked to AWS capacity over the VPC, linking the branch offices to the data centers using AWS as a backbone.
For those companies who don't like the unpredictability of performance on the VPN tunnel through the internet, Amazon is now rolling out a new feature called AWS Direct Connect, which provides a fully private, dedicated Gigabit Ethernet or 10 Gigabit Ethernet link from your data center into an AWS data center run by Amazon.
Direct Connect can be used to access public AWS resources as well as VPC resources that are cordoned off. It is implemented using an 802.1q VLAN – which means it can be partitioned into multiple logical networks – and for those who need lots of bandwidth, multiple links can be ganged up. Amazon says that most VPN hardware poops out at about 4Gb/sec of bandwidth, and at its current network transfer prices on the VPN service, the money can add up.
At the moment, AWS Direct Connect ports are only available into Amazon's Ashburn, Virginia data center (located in an Equinix facility). It costs 30 cents per hour for a Gigabit Ethernet port and $2.25 per hour for a 10GE port. Amazon doesn't charge for data pumped into the Virginia data center, but charges 2 cents per gigabyte transferred out of the facility. You can mix and match Direct Connect and standard VPN-based internet traffic within the same company and virtual networks, by the way.
The Direct Connect links are currently available only to customers residing in Virginia, and linking only to the Ashburn facility. Amazon says that it plans for direct links to be available from San Jose and Los Angeles into its Oregon data center as well as from London into Ireland and from Singapore and Tokyo into those AWS data centers in the next several months.
Amazon has also tweaked the Identity and Access Management feature of the AWS Management Console with an identity-federation feature. The IAM feature already allowed AWS administrators to control access to virtual compute, storage, and network resources on the Amazon cloud.
With the new federation features, IAM allows for whatever identity-management products that enterprises use internally to be cross-coupled with AWS authentication, so end users inside the corporate firewall can use their current authentication method (passwords, access keys, multi-factor authentication) and APIs in the IAM software to automatically and programmatically get access to AWS resources without having to create AWS credentials for each of those users by hand. IAM is a freebie feature of the Amazon cloud. ®