Pat Shuff's Blog

  • Iaas
    August 30, 2016


Let's take a step back and look at networking from a different perspective. A good reference book to start with from a corporate IT perspective is CCENT Cisco Certified Entry Networking Technician ICND1 Study Guide (Exam 100-101) with Boson NetSim Limited Edition, 2nd Edition. You don't need to read this book to get Cisco Certified but it does define terms and concepts well.

At the lowest level you start with a LAN or local area network. From the study guide, "Usually, LANs are confined to a single room, floor, or building, although they can cover as much as an entire campus. LANs are generally created to fulfill basic networking needs, such as file and printer sharing, file transfers, e-mail, gaming, and connectivity to the Internet or outside world." This typically is connected with a single network hub or a series of hubs and a router or gateway connects us to a larger network or the internet. The key services that you need on a LAN are a naming service and gateway service. The naming service allows you to find services by name rather than ip address. The gateway service allows you to connect to this service that you want to connect to that are not on your local network. It is basically as simple as that. A gateway typically also acts as a firewall and or network address translation device (NAT). The firewall either allows or blocks connections to a specific port on a specific ip address. It might have a rule that says drop all traffic or allow traffic from anywhere, from a network range, or from a specific network address. Network address translation allows you to communicate to the outside world from your desktop on a private nonroutable ip address and have the service that you are connecting to know how to get back to you. For example. my home network has an internet router that connects to AT&T. When the router connects to AT&T, it gets a public ip address from the internet provider. This address is typically something like This is a routable address that can be reached anywhere from the internet. The router assigns an ip address to my desktop and uses the address range to to assign the addresses. This implies that I can have 101 devices in my house. When I connect to gmail.com to read my email I do a name search for gmail.com and get back the ip address. My desktop, assigned to does an http get from gmail.com on port 80. This http request is funneled through my internet router which changes the ip header assigning the transmitter ip address to It keeps track of the assignment so that a response coming back from gmail.com gets routed back to my desktop rather than my kids desktop on the same network. To gmail.com it thinks that you are connecting from AT&T and not your desktop.

It is important to take our discussion back to layer 2 and layer 3 when talking about routing. If we are operating on a LAN, we can use layer 2 multicast to broadcast packets to all computers on our local network. Most broadband routers support all of layer 3 and part of layer 2. You can't really take a video camera in your home and multicast it to your neighbors so that they can see your video feed but you can do this in your home. You can ping their broadband router if you know the ip address. Typically the ip address of a router is not mapped to a domain name so you can't really ask for the ip address of the router two houses down. If you know their ip address you can setup links between the two houses and through tcp/ip or udp/ip share video between the houses.

If we want to limit the number of computers that we can put on our home or office network we use subnet netmasks to limit the ip address range and program the router to look for all ip addresses in the netmask range. The study guide book does a good job of describing subnetting. The diagram below shows how to use a netmask to define a network that can host just over a hundred computers.

Note that we have defined a network with a network id of by using netmask which limits the number of computers to 127 computers. If we put a computer with ip address of on this network we won't be able to connect to the internet and we won't be able to use layer 2 protocols to communicate to all of the computers on this network. With this configuration we have effectively created a subnet inside our network. If we combine this with the broadcast address that is used when we create our network connection we can divide our network into ranges. The study guide book goes through an exercise of setting up a nework for different floors in an office and limiting each floor to a fixed number of computers and devices.

One of the design challenges faced by people who write applications is where do you layer security and layer connectivity. Do you configure an operating system firewall to restrict address ranges that it will accept requests from? Do you push this out to the network and assume that the router will limit traffic on the network? Do you push this out to the corporate or network firewall and assume that everything is stopped at the castle wall. The real answer is yes. You should setup security at all of these layers. When you make an assumption things fall apart when someone opens an email and lets the trojan horse through the castle gates.

If you look at the three major cloud vendors they all take the same basic approach. Microsoft and Oracle don't let you configure the subnet that you are assigned to. You get assigned to a subnet and have little choice on the ip address range for the computers that you are placed upon in the cloud solution. Amazon allows you to define a subnet and ip address range. This is good and bad. It makes routing a little more difficult in the cloud and address translation needs to be programmed for the subnet that you pick. Going with vendors that assign an ip address range have hardwired routing for that network. This optimizes routing and simplifies the routing tables. Amazon faces problems with EC2 and S3 connectivity and ends up charging for data transmitted from S3 to EC2. Bandwidth is limited with these connections partly due to routing configuration limitations. Oracle and Microsoft have simpler routing maps and can put switched networks between compute and storage which provides a faster and higher throughput storage network connection.

The fun part comes when we want to connect our network which is on a non-routable network to our neighbors. We might want to share our camera systems and record them into a central video archive. Corporations face this when they want to create a cloud presence yet keep servers in their data center. Last week we talked about hiding a server in the cloud and putting our database where you can't access it form the public internet. This is great for security but what happens when we need to connect with sql developer to the database to upload a new stored procedure? We need to be able to connect to this private subnet and map it to our corporate network. We would like to be able to get to from our network which is mapped to How do we do this? There are two approaches. First, we can define a secondary network in our data center to match the network and create a secure tunnel between the two network. The second is to remap the cloud network to the subnet and create a secure tunnel between the two networks. Do you see a common theme here? You need a secure tunnel with both solutions and you need to change the subnet either at the cloud host or in your data center. Some shops have the flexibility to change subnets in their corporate network or data center to match the cloud subnet (as is required with Oracle and Microsoft) while others require the cloud vendor to change the subnet configuration to match their corporate policy (Amazon provides this).

Today we are not doing to dive deep into virtual private networks, IPSec, or secure tunnels. We are going to touch on the subjects and discuss them in depth later. The basic concept is a database developer working on their desktop needs to connect to a database server in the cloud. A Java developer working on their desktop needs to connect to a Java server in the cloud. We also need to hide the database server so that no one from the public internet can connect to the database server. We want to limit the connection to the Java server to be port 443 for secure https to public ip addresses and allow ssh login on port 22 from our corporate network. If we set a subnet mask, define a virtual private secure network between our corporate network and cloud network, and allow local desktops to join this secure network we can solve the problem. Defining the private subnet in the cloud and connecting it to our corporate network is not enough. This is going back to the castle wall analogy. We want to define firewall rules at the OS layer. We want to define routing protocols between the two networks and allow or block communication at different layers and ports. We want to create a secure connection from our sql developer, java developer, or eclipse development tools to our production servers. We also want to facilitate tools like Enterprise Manager to measure and control configurations as well as notify us of overload or failure conditions.

In summary, there are a variety of decisions that need to be made when deploying a cloud solution. Letting the application developer deploy the configuration is typically a bad idea because they don't think of all of the corporate requirements. Letting the IT Security specialist deploy the configuration is also a bad idea. The solution will be so limiting that it makes the cloud services unusable. The architecture needs to be a mix of accessibility, security, as well as usability. Network configurations are not always the easiest discussion to have but critical to have early in the conversation. This blog is not trying to say that one cloud vendor is better than the other but trying to simply point out the differences so that you as a consumer can decide what works best for your problem.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.