Cloud offerings may be something you cannot avoid anymore in the enterprise…

April 22, 2023 Leave a comment

Cloud offerings are half of the topic in 2nd term of 2nd Year in BCIT’s CISA program. As a hobby programmer, AWS and Google offer free tiers to work with, as long as you don’t exceed usage limits for the free tier. You can buy into non-free tiers. Microsoft’s Azure has limited time free tiers, and limited usage limits for Students, if you provide them with a institutional email.

The cloud related topics include:

  • Microsoft365.com (SaaS) subscription
    • Exchange online (PaaS)
    • Teams for business chat
    • Teams based Voip offerings allow telephony features like call attendants, and call queues.
    • Active Directory on the Cloud, including synced with on premises AD.
  • Office.com (included with Microsoft365.com)
    • Outlook on Web app (SaaS) and downloadable
    • Word downloadable
    • Excel downloadable
    • Access downloadable
  • Azure (many cloud services):
    • IaaS like Virtual Private Cloud (VPC), and Virtual Machines(VM)
    • PaaS like SQL Server
    • Storage
  • Amazon AWS (many cloud services):
    • IaaS like Virtual Private Cloud (VPC), and Virtual Machines(EC2)
    • PaaS like replacement for PostGres, SQL Server, and MySQL databases (RDS)
    • Storage(S3)
    • PaaS for container technology such as Docker and Kuernetes technology (ECS)
  • Related in same term, is network security, like site to site encryption called IPSec VPN, and remote access VPN such as client VPN, and a inkling of device management

The theme is to off-source technical maintenance such as backups, software updates, equipment maintenance and monitoring, data center selection, and networking to the cloud. In exchange, you have to pay them a subscription fee to do so, and a vendor to keep your networking connection available to them. At least for everyday things. Some exotic things such as merging or splitting organizations, you still have to find a consultant to do that for you now, at least until the cloud companies figure out if it is cost effective to add that as a push button automation.

The easiest technology to understand is Virtual Machines, which even developers understand intuitively. Cloud services typically install the operating system for you, as one of preset choices given to you. It is considered Infrastructure as a service, b/c it imitates hardware machine, in cloud software. But after it is installed, the operating system maintenance is up to you. The cloud service no longer keeps that updated for you, bc they cant be responsible for any software updates that mess up any software you install on the machine for your own purposes. You can install the VM server with whatever software you want. The machine can be exposed to the internet with a public ip address, which they will change you for, or it can be hidden within the cloud provider’s network and you (or they) have to provided a way to allow you to connect to it.

Virtual Networks is a lesser understood IaaS offering. The reason for this I think is called skeuomorphic, or they wish to imitate the connectivity options available between computers that computer professionals are used to. And therefore, only they would understand the metaphors. But in the use case of cloud providers, they are a way to isolate which cloud services you have bought, are interconnected, and/or if they are exposed to the internet. So when you see private subnet in cloud offering, this means it is isolated from directly accessing the internet (but can be connected indirectly, through a middle man server or service that your IT professional architects to be “best practice”). Don’t make me explain what “best practice” means. I can’t even explain it without having a bunch of IT professionals jump all over me about. So it is typically said vaguely, to avoid interruptions from those people

Online Storage by now, should be a well understood product, since products like OneCloud and Dropbox and Google Drive have been available since I was in MBA programs in 2010. There are additional products that are better understood by technology professionals such as file system shares, and block storage services to mimic a hard drive.

Software as a Service (SaaS) is simply when your favorite software, is now on a web browser. Gmail, outlook.com for instance. They’ve put office on the web too.

Platform as a Service (PaaS) is typically what IT professionals use. A network and server engineer might use something like exchange on the cloud, to replace having several windows servers. Or active directory on the cloud, to make their employee computer accounts available over several networks. They have no idea what operating systems, these software services are installed on, as long as their software can connect to them, to get their mail, or authenticate passwords against. Developers would use it, to deploy or publish their software to, such as customized wordpress sites, or custom software, or databases such as SQL Server which their custom applications connect to store and retrieve data. This way, they too, no longer have to worry about buying servers and having a place to plug it in, and making sure the network police don’t come and take it away as non-registered devices on the network.

Data security is not yet a well understood discipline, on how to use the cloud with it. At least no one talks much about it, except a paragraph on data anonymization. I don’t see how you can anonymize AD in the cloud.

Cloud services can have VPN gateway services for a fee, to create encrypted tunnels to the Cloud subnets. This can be done by a firewall, that receives traffic destined for cloud subnets, routes traffic thru a VPN tunnel to the either cloud service provider, as long as their subnets can be distinguished, which can be designed by your network administrator.

Once employees have access to AWS cloud servers for instance, if they need direct access to the webservers, they login to the webservers thru encrypted tunnel thru the internet.

Visitors from the internet would access AWS Load balance service, create by the AWS console, to distribute request to the 2 web servers. See below’s thin red line.

Microsoft365 uses a simpler Cloud model of AzureAD, Exchange365, Teams, and other services available thru the web, by replicating on premises Active Directory Domain User who login to local workstations, to Microsoft365’s Users, which leverages AzureAD. These users are then can be assigned licenses to Microsoft265, then they are replicated to Exchange365, and mailboxes created. Rather than have an on premises Exchange Server, installed on the domain, each user will open their outlook and direct it to connect to Exchange365 directly. No VPN tunnels are used in this. See below’s magenta and green lines.

And if you have a mobile workforce that needs direct access to a database for some reason, the data can be sent to a Azure SQL service thru the VPN tunnel from the corporate site, and then a mobile employee with a laptop, can access the database directly thru a public IP address exposed, or a remote access VPN to Azure.

20 years ago, I would never believe that there was money to be made this way. I saw free Gmail basically take the lunch of the biggest ISP’s such as America online. And I didn’t see why you would choose to give yourself overhead in computing. But that is why I’m a programmer and not a businessman. They saw there were businesspeople available who couldn’t get over the barrier of entry of expensive computing equipment, and found a way to charge them monthly. And processors now have extensions built in to speed up virtual machines. Enterprise NICs now support DMA straight to the VM. No going back now.

Leave a Reply

Your email address will not be published. Required fields are marked *