Many enterprises embarking on their cloud transformation journey opt for hybrid cloud implementation. This is typically driven by two strategic reasons:
- Risk aversion: Companies had already invested in their legacy infrastructure, and using a “big bang” approach to move to the cloud is too risky. So, as a middle path, enterprises opt for a hybrid cloud approach as it allows them to build their confidence in the cloud technologies to navigate concerns related to security and compliances while recognizing cost efficiencies.
- Minimizing future supplier power: Hybrid cloud allows companies to be future-safe by avoiding the stickiness of one cloud vendor. Trying out the approach of multi-cloud can help them minimize the risk of increasing cloud supplier power.
Many of our clients minimize the risk of migrating to the cloud using a phased approach where business processes are gradually moved. This requires splitting application modules between on-premise and cloud. The success of any hybrid cloud implementation is heavily dependent on integration architecture planning between the two.
Integration Architecture Planning
Application processing flows need to operate seamlessly between on-premise and cloud-based components. Non-functional elements such as performance, security, and observability also require integration design across both platforms. Key areas of integration required to analyze and make design decisions early in your project are outlined below.
Real-Time vs Event-Driven
One of the advantages of transitioning to the cloud is scalability. In order to leverage this benefit of the cloud, we need to make application processes, services, and interactions as decoupled as possible.
Event-driven design is a great way to decouple application components, so identify interactions that do not require a real-time response. This enables you to split modules between on-premise and cloud with no impact on performance SLAs. In addition, enforce common formats using schemas and test replication between environments early in case your organization has a firewall or other configuration requirements. Public cloud providers offer managed Kafka services (for example, AWS MSK) and several products in the market provide hybrid infrastructure event support, such as Cloudera and Confluent.
For application flows that are time-sensitive and require either an immediate response or real-time action, REST APIs are a simple way to exchange data between microservices within a cloud-based system but also with components that are hosted in an on-premise data center. New API endpoints may need to be added to existing applications or legacy APIs optimized; for example, older SOAP-based APIs should be modified to use JSON bodies to improve network performance.
Cloud solution resiliency is maximized using an Active-Active topology across regions. Depending on your organization’s Disaster Recovery (DR) requirements, the other active region can serve as a dynamic recovery zone and avoid the need for a cloud-specific DR environment. If on-premise or connected third-party environments instead have an Active-Passive topology, with a separate DR environment, you may face challenges in aligning the environments. You might need to, for example, configure both cloud regions to read from a single region’s queue or design strategies for switching to an on-premise Disaster Recovery environment from the cloud solution based on key events.
Logging and Observability
Having a single interface for viewing operational data consolidated across both on-premise and cloud-based systems is crucial to enable a single support and troubleshooting team to maintain the hybrid system. By default, cloud-based systems typically write logs to their own native logging systems such as AWS CloudWatch, Azure Monitor, or GCP’s Cloud logging and Cloud Monitoring. Adopt logging and observability solutions that tools like CloudWatch can write to, but can also be written to from on-premise applications such as Dynatrace, Datadog, etc. This allows the creation of dashboards to view end-to-end processing flow irrespective of the application being hosted on-premise or on-cloud, and generate alerts from any key points in the flow.
Whenever an organization is planning to use a hybrid cloud model, the existing on-premises networking strategy is not sufficient. When integrating into a cloud, an organization must extend its DNS (Domain Name System) service to include cloud applications. There are multiple ways you can accomplish this:
- Organizations might decide to use their existing DNS servers and keep within their as-is DNS resolutions on-prem.
- Organizations might decide to use a hybrid approach by keeping an on-premise DNS system/resolver for on-premise and a cloud DNS system for cloud applications.
- Organizations might decide to move their DNS resolution to Cloud such as Amazon Route 53, GCP’s Cloud DNS, etc.
Whenever we have either on-premise or cloud DNS resolution being used, either cloud or on-premise DNS should be a subdomain of prior.
When using the cloud in IaaS or PaaS model, the security of applications hosted on the cloud still resides with organizations. The design decisions specific to hybrid solutions include:
Data at Rest Field-level encryption
Applications that send Personal Data (PII) typically leave processing identifiers and non-sensitive data visible but encrypt sensitive fields. The algorithm used to encrypt and decrypt these fields must be common across on-premise and cloud to ensure that each component can decrypt as needed for its own processing. Any encryption utilities and keys must be shared across environments.
Data in motion
Authentication and authorization of REST APIs and events between cloud and on-premise environments:
If existing on-premise APIs are already used by partner organizations, they likely have rigorous authentication processes. When called from cloud-based components, you will need to securely configure required credentials in cloud secure services to access those. Authentication from on-premise components to cloud-based ones can be designed based on your organization’s security policies but access will be internal to your organization.
Encrypting data in transit:
As in the hybrid cloud model data flows through the internet, data encryption becomes essential. For instance, you can use SSL/TLS certificate for any APIs gateway and use PGP with SFTP/SCP for securing any file transfers or emails, etc. flowing between on-premise and different cloud infrastructures.
In a hybrid environment, there are many integration points between on-premise and cloud environments, making cross-environment integration testing critical. In addition to the usual agile development and testing practices of using test-driven development (TDD) and behavior-driven development (BDD) within cloud or on-premise components, at least two ‘rounds’ of application and two rounds of integration testing are recommended.
- Validate that, for example, the cloud-based logic is performing as expected using automation with simulated API inputs (from external systems) and validated outputs to/from the other environment. This will identify any internal logic issues.
- After identifying the most frequent use cases, conduct automated performance testing to uncover any performance-related issues within the component.
- Conduct functional integration testing by sending data between on-premise and cloud and visa versa to validate common data specifications, connectivity, and security.
- Conduct integration performance testing to uncover any performance blocks in the end-to-end project flow.
To summarize, the earlier you plan the integration, sites, security, and testing strategy for your hybrid cloud configurations, the more efficient and seamless your integrated cloud and on-premise applications can be. Delays in identifying and strategizing integration touchpoints between the on-premise and cloud components, any organizational or industry-specific security concerns, site configuration, integration testing, or support would increase the cloud costs, delay project go-live, and negatively impact user experience.
- When selecting cloud vendor services, confirm that they support active-active, multi-region topologies and include the operational tools needed to observe and support applications in both environments. Some serverless and managed services in particular are not as mature in those areas “as advertised”
- Perform connectivity and data integration testing between hybrid and cloud environments early in your project to identify any additional connection/security approvals or schema differences
- Apply event-driven design wherever practical (as per guidelines above)
Hesitating to start your cloud transformation journey?
If you’re unable to fully integrate your on-premise application with cloud applications, or want to re-engineer your on-premise infrastructure to the cloud, Indellient can help. As a proud AWS and Google Cloud partner, Indellient can empower your organization to kick start its cloud journey by integrating or re-engineering your on-premise applications to cloud solutions. Contact us today to get started on your cloud transformation.