This evening Amazon launched a new service called “VPC”, which stands for Virtual Private Cloud, read the details on the product page and the AWS blog, plus a nice backgrounder on Werner Vogel’s blog. The short story is that it allows anyone to spin up a private enclave within Amazon’s infrastructure. This allows VPC users to segregate their EC2 instances from “the masses” and get a VPN connection from their own data center to their VPC, which then looks like a part of their internal network. Exciting stuff and we’ll have support for VPCs in RightScale real soon.
When I look back, in 2006 when EC2 first launched it was for lunatics (ok, I plead guilty). In 2007 startups began to really notice and hop onto the bandwagon. Stories of really cool stuff happening in EC2 started to spread. But by and large it was still a somewhat limited environment and a very ‘early adopter’ product. In 2008 we saw more mature companies starting to adopt the cloud and utilize it where it made sense in their operations. Also, the first enterprise customers started to show up to learn about the cloud, try things out, and voice their concerns. Now that we’re well into 2009 the enterprise interest has really picked up, and Amazon’s new offering comes just at the right time. It’s targeted at addressing a number of the practical networking and security considerations that enterprises have to deal throughout their IT infrastructure.
The best way I’ve found to describe a VPC is a datacenter on a stick: you launch your servers into a balloon within Amazon’s infrastructure and you get a VPN link to tie them all back into your datacenter. Let’s take this step-by-step and see how it works.
- In your existing EC2 account you create a VPC, that’s the container for all your instances
- In that VPC, you define one or multiple subnets (e.g. 10.34.1.0/24) chosen so they integrate well into your enterprise-wide internal addressing structure
- You now set-up your IPsec VPN device (preferably a major-brand router) and connect to a VPN endpoint you create within your VPC
- Finally, you launch your first VPC instance almost the same way as you would launch a public instance, the only difference being that you specify to which of your VPC subnets it should be attached
- You now have a server in your VPN that, with a small amount of router config, is indistinguishable from any of your other servers in your datacenter, except that you didn’t have to buy it, rack it, or hook it up!
So what is a VPC really? It really is what it says: a virtual private cloud. One key ingredient here is that a VPC is a logical concept, not a physical one, meaning that the boundary around your instances in your VPC is at the network level, there is no separate room with your servers! What that means is that a VPC is truly a cloud with all the attributes we expect: virtually infinite, on-demand resource availability, pay-per-use pricing, etc. You’re not forking out $$$ to have someone build you a finite cloud-like datacenter, that takes months to build, and is charged up-front. I’m sure Amazon got requests to build private physical clouds in some large enterprise datacenters and I’m glad they opted for the virtual cloud variant. The one that really is a cloud.
Something that initially puzzled me is what the benefits of a VPC are when all the marketing fluff dissipates. Here is what I’ve learned. First, instances in the VPC are separated from non-VPC instances at a deeper network level than instances in different security groups or belonging to different users. As is typical, Amazon doesn’t say anything of substance about the nature of this isolation. Let’s see how soon that will have to change to actually attract enterprises… Second, instances in the VPC can seamlessly integrate into a company’s internal network routing. This is significant because it means that tools used to inventory, secure, audit, manage, and access all servers in the IT infrastructure can now be brought to bear on instances in the cloud as well.
What is really nice about the VPC is that everything works (almost) as usual. Launching instances is only slightly different from before in that one additional parameter specifies the subnet to launch the instance into. Most everything else is unchanged. So all the goodness of RightScale will continue to work. Well, actually, there is one fly in the ointment in this initial release that the docs are quiet about, which is that instances in a VPC have no external network connectivity whatsoever. All traffic in/out of the VPC has to go through the VPN, at the far end of which it may be routed to the internet. This includes traffic to other AWS services, such as S3, SQS, SimpleDB, and indeed any general internet traffic. Sounds like #1 priority limitation to fix also from Amazon’s point of view to me…
Last but not least, the killer feature in my opinion is the price: it’s virtually free! The only extra cost of having a VPC over using standard EC2 instances is the VPN charge which is 5 cents an hour, a charge that doesn’t even register with most folks who need a VPC (the charge is per VPN, so in principle it can add up a little if you have 20 datacenters each with a VPN to your VPC, it’s still peanuts).
Mark your history books: 2009, the year that the cloud became enterprise ready. I believe this is the most compelling feature/service AWS could have added at this stage of the cloud market from an enterprise point of view. While we’re busy finishing the support for VPCs in the RightScale enterprise edition don’t hesitate to give us a call to find out more about our early experience program for RightScale VPC management.