Chapter 11: Managing Hybrid Clouds
In the previous chapters, we covered cloud infrastructure fundamentals, common threats in cloud environments, how to handle compliance and regulation, and how to engage with cloud providers. In this chapter, we will discuss hybrid clouds.
A hybrid cloud is a combination of an on-premises data center or private cloud and a public cloud environment.
Hybrid cloud is considered an extension of our local data center and, as such, helps us in minimizing the efforts required to control, maintain, and secure our infrastructure and services across the entire hybrid solution.
We are not only extending our local data center infrastructure to the cloud, but we are also extending our security boundaries to the cloud, so we wish to have a central way to control security operations in a hybrid architecture.
In this chapter, we will cover the following topics:
- Hybrid cloud strategy
- Identity management over hybrid cloud environments
- Network architecture for hybrid cloud environments
- Storage services for hybrid cloud environments
- Compute services for hybrid cloud environments
- Securing hybrid cloud environments
Technical requirements
For this chapter, you will need to have a solid understanding of concepts such as identity management, network, storage, compute, and how to secure cloud environments.
Hybrid cloud strategy
Before using the hybrid cloud architecture, we need to ask ourselves, what are we trying to achieve through a hybrid cloud solution?
Cloud-native solutions for hybrid environments have the following benefits:
- Integration of both on-premises resources with cloud resources
- Built-in integration with cloud services
- Virtually unlimited capacity (compute and storage) for storing logs and running correlations between events
- Virtually unlimited storage capacity for storing data (for backups, regulation compliance, disaster recovery, and more)
- Support for federated identity management (allows a single identity to access resources in hybrid environments)
Let's look at some of the most common use cases for choosing hybrid cloud solutions.
Cloud bursting
The idea behind cloud bursting is to allow applications that run on-premises to burst into the cloud when there is a need for extra resource capacity – both planned and unplanned.
Some examples of cloud bursting are as follows:
- A large demand for cloud resources for a short period during the Black Friday weekend until Cyber Monday
- A campaign where a phone company ships a new product to the market
- Large batch processing, such as genetic research
Backup and disaster recovery
The cloud is an excellent solution for backup and/or disaster recovery for your on-premises environments. It has (almost) no limitations for storing long-term backups, and it is highly suitable for building entire environments (when using Infrastructure as Code (IaC), as explained in Chapter 13, Security in Large-Scale Environments) within minutes to serve as disaster recovery.
Archive and data retention
Regulation might require us to archive logs and retain them for a long period (years).
The cloud offers us a cheap solution for archiving storage tiers.
Distributed data processing
If there is a need for processing huge amounts of data (such as Apache Hadoop), high-performance computing (such as weather forecasting), or machine learning (such as video analysis), the cloud can be a perfect solution.
Whenever we do not have the necessary resources in our local data center, we can deploy clusters in the cloud, perform our data analysis process, and, by the end of the process, erase all the unneeded resources to save money.
Application modernization
To avoid the on-premises and legacy infrastructure constraints, the cloud allows us to re-architect our applications and switch to modern architectures such as microservices or even become serverless.
Some workloads can be migrated to the cloud (such as modern developments), while other workloads must remain on-premises (due to regulations that force us to keep data on-premises) – such a mixed environment creates a hybrid architecture.
The cloud strategy helps organizations decide what to do with their existing applications and systems:
- Retire: Decide which applications are no longer needed.
- Retain: Decide which applications are needed but the migration to the cloud will be too complex and should remain on-premises.
- Replace: Decide which applications can be replaced with managed services or SaaS solutions.
- Rehost: Decide which applications can be lift and shift with minimal effort to the cloud
- Re-platform: Decide which applications need minimal changes to migrate to the cloud (for example, an OS upgrade).
- Refactor: Decide which application requires significant modifications to migrate to the cloud (for example, switch from a monolith to a microservice architecture).
- Reimagine: Decide which applications need to be rebuilt from scratch to benefit from cloud advantages (such as elasticity, multi-region, and more).
For more information, please refer to the following resources:
AWS database migration strategy: https://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-database-migration/planning-phase.html
What is a hybrid cloud strategy?: https://www.vmware.com/topics/glossary/content/hybrid-cloud-strategy
Hybrid cloud: Enabling the rotation to the New: https://www.accenture.com/us-en/insights/cloud/hybrid-cloud-strategy
Summary
A hybrid cloud strategy helps organizations decide what to do with existing applications and set security policies for storing data in the cloud. Hybrid cloud strategies help organizations leverage cloud advantages (such as scale and short purchase processes), while still keeping legacy applications on-premises.
Identity management over hybrid cloud environments
One of the first things to decide on, before using the hybrid cloud, is identity management. Organizations would like to keep their existing identity provider, have a single identity for each of their end users (while preserving existing credentials), and still be able to access resources in the cloud.
Identity management in hybrid cloud environments can be split into the following areas:
- Directory replication: Extending the on-premises directory into the cloud with either one-way replication or synchronization between the two.
- Federated authentication: An on-premises component brokers the user authentication to the cloud using SAML, OIDC, or some other protocol.
Some of the benefits of using centralized identity management are as follows:
- A single place to provision or de-provision identities
- Reusing strong credentials and authentication capabilities
- Centralization of access audits
- Avoid supporting every cloud identity mechanism
How to manage identity over hybrid AWS environments
On-premises environments can have various types of identity providers – from Active Directory (AD) (for Windows-based applications) to LDAP-based identity directories (mostly for Linux-based applications). An organization may also consider Security Assertion Markup Language (SAML)-based authentication for cloud-native services.
Amazon supports the following identity management solutions for hybrid environments:
- AWS IAM with AD Federation Services (ADFS): Gives you the ability to use AWS IAM SAML-based directory service to manage your on-premises identities (from the on-premises AD).
- AWS Managed Microsoft AD: A fully managed AD allows you to manage user identities from on-premises AD or a local LDAP provider (usually for Linux-based applications).
- AD Connector: A proxy service that allows you to manage AWS services such as Amazon WorkSpaces, Amazon EC2, and more using the on-premises AD.
- AWS SSO: This allows you to centrally create identities across AWS organizations or bring identities from Microsoft AD or other identity providers (such as Okta, OneLogin, and more).
For more information, please refer to the following resources:
What is AWS Directory Service?: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html
AWS Federated Authentication with Active Directory Federation Services (AD FS): https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
AWS Single Sign-On FAQs https://aws.amazon.com/single-sign-on/faqs/
How to manage identity over hybrid Azure environments
Azure supports the following identity management solutions for hybrid environments:
- Azure AD: SAML-based authentication. When synced with on-premises AD (using Azure AD Connect), you can have a single identity with access (according to business needs) to both on-premises resources and cloud-based resources (such as Azure resources and any SAML-based cloud service).
- Azure AD Domain Services: A role that allows legacy protocols such as Kerberos (for Windows-based applications) or LDAP (for Linux-based applications) to be integrated.
For more information, please refer to the following resources:
Azure Active Directory integrations with authentication and synchronization protocols: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-sync-overview
What authentication and verification methods are available in Azure Active Directory?: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
How to manage identity over GCP hybrid environments
Google supports the following identity management solutions for hybrid environments:
- Google Cloud Identity with AD Federation Services (AD FS): Gives you the ability to use SAML-based directory services to manage your on-premises identities (from the on-premises AD) or LDAP (for Linux-based applications).
- Google Managed Service for Microsoft AD: A fully managed AD that allows you to manage user identities from on-premises AD.
For more information, please refer to the following resources:
Authenticating corporate users in a hybrid environment: https://cloud.google.com/architecture/authenticating-corporate-users-in-a-hybrid-environment
Federating Google Cloud with Active Directory: https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-introduction
Deploying Active Directory Federation Services: https://cloud.google.com/managed-microsoft-ad/docs/deploy-adfs
Best practices for managing identities in hybrid environments
Since identity management follows the same concepts over different hybrid cloud scenarios, it is recommended to follow these best practices:
- Always pass authentication information through secured protocols – from TLS for SAML-based authentication, through Kerberos inside site-to-site VPN tunnels (over IPsec), to LDAP over SSL (LDAPS).
- Enable Multi-Factor Authentication (MFA) for any account with privileges to access the cloud environment.
- When you're granting access to resources, always follow the concept of least privilege.
- Enable auditing for all login events (both success and fail) and send the logs to your preferred SIEM system.
- Create rules on your SIEM system to alert you of anomalous behavior (such as root or administrator login, multiple failed logins, and more).
- Use dedicated services such as Amazon GuardDuty, Microsoft Defender for Cloud, Google Security Command Center, and more to detect identity-based attacks.
- When possible, use Identity Management (IDM) systems for provisioning, de-provisioning, and access (permissions) management over your entire hybrid environment.
Summary
Selecting authentication and authorization methods allows organizations to reuse their existing identity providers and keep a single identity for each of their end users in a central repository.
Network architecture for hybrid cloud environments
The second important thing to consider when building a hybrid architecture is how to connect from the on-premises environment to the cloud.
The recommended way to connect to cloud environments, considering the cloud as an extension of the local data center, is to use a secure and permanent network connection – either site-to-site VPN or a dedicated connection.
A secured and permanent connection will allow you to set access control (layer 4 firewall rules) between on-premises segments and cloud segments and retain access to resources in the cloud (or allow access from cloud resources to the on-premises environment) in terms of business needs. The following are some of the solutions that you can choose depending upon the specific situation you are dealing with:
- You should choose a VPN solution in the following situations:
- You need a fast deployment time.
- You are OK passing an IPsec tunnel over the internet.
- You do not have bandwidth requirements.
- You are looking for a low-cost solution.
- You should choose to interconnect (AWS Direct Connect (DX), Azure ExpressRoute, Google Cloud Interconnect) in the following situations:
How to connect the on-premises environment to AWS
Amazon offers the following services to allow hybrid connectivity:
- AWS Managed Site-to-Site VPN: A fully managed VPN service that provides connectivity from the customer gateway (customer side of the VPN) over an IPsec tunnel.
- AWS VPN CloudHub: A hub and spoke model that uses AWS-managed VPNs to connect Amazon VPC to multiple customer data centers, each with its own IPsec tunnels.
- AWS Transit Gateway and VPN: A service that allows single-network connectivity (hub) over a VPN tunnel between the on-premises environment and multiple VPCs in the same region.
- AWS DX: A dedicated connection from the on-premises environment to one or more VPCs in the same region in a pre-defined network bandwidth.
- AWS DX and AWS Transit Gateway: A dedicated connection from the on-premises environment to one or more VPCs in up to three regions in a pre-defined network bandwidth.
The following are some best practices to keep in mind:
- Always think about Classless Inter-Domain Routing (CIDR) before configuring network segments in the cloud to avoid IP conflicts between the on-premises environment and the cloud.
- Use network ACLs, security groups, and route tables to configure network access rules between the on-premises environment and the resources inside your VPCs.
- For redundancy, plan for failover connectivity – from multiple VPN connections or redundant interconnects – using different network providers or a combination of interconnect and VPN connectivity.
- Use a dual site-to-site VPN connection, along with an AWS transit gateway, for connection redundancy between your on-premises environment and the cloud.
- Use multiple DX connections with the DX gateway so that you have connection redundancy between your on-premises environment and the cloud.
For more information, please refer to the following resources:
Hybrid network connection: https://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/hybrid-network-connection.html
AWS Transit Gateway and VPN: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-transit-gateway-vpn.html
AWS Direct Connect and AWS Transit Gateway: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-aws-transit-gateway.html
AWS VPN CloudHub: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-vpn-cloudhub.html
How to connect the on-premises environment to Azure
Azure offers the following services to allow hybrid connectivity:
- Azure VPN Gateway: A fully managed VPN service that provides connectivity from the on-premises environment to the cloud over IPsec tunnels.
- Azure ExpressRoute: A dedicated connection from the on-premises environment to one or more Azure VNets in a pre-defined network bandwidth.
- Hub and spoke network connectivity: A hub and spoke model that uses Azure VPN Gateway to connect the on-premises environment to multiple VNets using a single IPsec tunnel.
The following are some best practices to consider:
- Always think about CIDR before configuring network segments in the cloud to avoid IP conflicts between the on-premises environment and the cloud.
- Use Network Security Groups (NSGs) to configure network access rules between the on-premises environment and the resources inside your VNets.
- For redundancy, plan for failover connectivity – from multiple VPN connections or a redundant ExpressRoute using different network providers, or a combination of ExpressRoute and VPN connectivity.
- Use multiple site-to-site VPN connections for connection redundancy between your on-premises environment and the cloud.
- Configure multiple connections from your on-premises environment (through your service provider's network) to the Azure ExpressRoute circuit for connection redundancy between your on-premises environment and the cloud.
For more information, please refer to the following resource:
Connect an on-premises network to Azure: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/
How to connect the on-premises environment to GCP
GCP offers the following services to allow hybrid connectivity:
- Google Cloud VPN: A fully managed VPN service that provides connectivity from the on-premises environment to the cloud over an IPsec tunnel.
- Google Cloud Interconnect: A dedicated connection from the on-premises environment to one or more VPCs in a pre-defined network bandwidth.
The following are some best practices to consider:
- Always think about CIDR before configuring network segments in the cloud to avoid IP conflicts between the on-premises environment and the cloud.
- Use firewall rules to configure network access rules between the on-premises environment and the resources inside your VPCs.
- For redundancy, plan for failover connectivity – from multiple VPN connections or redundant Cloud Interconnect using different network providers, or a combination of Cloud Interconnect and VPN connectivity.
- Use a High-Availability (HA) VPN for connection redundancy between your on-premises environment and the cloud.
- Use Dedicated Interconnect for connection redundancy between your on-premises environment and the cloud.
For more information, please refer to the following resource:
Hybrid and multi-cloud network topologies: https://cloud.google.com/architecture/hybrid-and-multi-cloud-network-topologies
Summary
According to your business requirements, you can have a secured and redundant connection between your on-premises environment and the cloud.
Storage services for hybrid cloud environments
Now that we have decided on an identity management and network topology, the next thing we need to consider is how to use hybrid clouds for data transfer and storage.
In this section, we will review the various options for data transfer.
When considering hybrid storage connectivity, consider the following:
- Bandwidth/latency/time to transfer
- Use of public versus private connectivity
- Moving files versus file synchronization
- Encryption requirements (in transit and at rest)
- Access control for a hybrid solution
- Supported protocols (NFS, CIFS, and more)
How to connect to storage services over AWS hybrid environments
Amazon offers the following services to transfer data to the cloud in a hybrid architecture:
- AWS Storage Gateway: A virtual appliance for installing on-premises environments that allows access from the on-premises environments to an object storage service (Amazon S3/Glacier), file storage (Amazon FSx for Windows), block storage (Amazon EBS), and the backup service (AWS Backup)
- AWS DataSync: A data transfer service between the on-premises environment and object storage (Amazon S3), NFS file storage (Amazon EFS), and SMB file storage (Amazon FSx for Windows)
- AWS Transfer Family: A file transfer service between the on-premises environment and the object storage (Amazon S3) or NFS file storage (Amazon EFS), above the SFTP, FTPS, and FTP protocols
The following are some best practices to consider:
- Use AWS Storage Gateway when you need constant connectivity between the on-premises environment and your AWS storage services.
- Use AWS DataSync when you need to copy files to/from the cloud.
- Use AWS Transfer Family when you would like to copy files to the cloud over SFTP or FTPS protocols.
- Always choose secured protocols (such as TLS, SFTP, or FTPS) when transferring files to the cloud.
- Always configure IAM permissions on cloud resources, according to your business needs.
- Enable auditing on any access to cloud resources.
- Encrypt data at rest when it's stored in the cloud.
For more information, please refer to the following resources:
AWS Storage Gateway FAQs: https://aws.amazon.com/storagegateway/faqs/
Back up your on-premises applications to the cloud using AWS Storage Gateway: https://aws.amazon.com/blogs/storage/back-up-your-on-premises-applications-to-the-cloud-using-aws-storage-gateway/
How AWS DataSync works: https://docs.aws.amazon.com/datasync/latest/userguide/how-datasync-works.html
How to connect to storage services over Azure hybrid environments
Azure offers the following services to transfer data to the cloud in a hybrid architecture:
- Azure Data Box Gateway: A device for installing on-premises environments that allows you to copy data from the on-premises environment to Azure Storage using the NFS or SMB protocol.
- Azure Data Factory: An Extract-Transform-Load (ETL) solution for copying files to services such as Azure Storage, Azure SQL, Azure HDInsight, and more.
- Azure File Sync: A data copy service that's installed as an agent on Windows machines and allows you to copy files over the SMB or NFS protocol to Azure Storage.
The following are some best practices to consider:
- Use Azure Data Box Gateway when you need a long-term archive of your data or for bulk data transfer.
- Use Azure Data Factory when you need to create a process for moving data to/from the cloud to services such as Azure Storage, Azure SQL, Azure Data Lake Storage, and more.
- Use Azure File Sync when you need to copy (or sync) files to Azure Storage.
- Always choose secured protocols (such as TLS) when you're transferring files to the cloud.
- Always configure permissions on cloud resources, according to your business needs.
- Enable auditing on any access to cloud resources.
- Encrypt data at rest when it's stored in the cloud.
For more information, please refer to the following resources:
Use cases for Azure Data Box Gateway: https://docs.microsoft.com/en-us/azure/databox-gateway/data-box-gateway-use-cases
What is Azure Data Factory?: https://docs.microsoft.com/en-us/azure/data-factory/introduction
What is Azure File Sync?: https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-introduction
How to connect to storage services over GCP hybrid environments
GCP offers a transfer service for on-premises data – a software service that allows you to transfer large amounts of data from an on-premises environment to Google Cloud Storage.
The following are some best practices to consider:
- Always choose secured protocols (such as TLS) when transferring files to the cloud.
- Always configure permissions on cloud resources according to your business needs.
- Enable auditing on any access to cloud resources.
- Encrypt data at rest when it's stored in the cloud.
For more information, please refer to the following resource:
Transfer service for on-premises data overview: https://cloud.google.com/storage-transfer/docs/on-prem-overview
Summary
In this section, we reviewed the various options that AWS, Azure, and GCP offer for transferring data from on-premises environments to the cloud in a hybrid cloud scenario.
Compute services for hybrid cloud environments
The hybrid cloud architecture is not just limited to connecting on-premises environments to the cloud for resource consumption. It can also be used in scenarios where an organization would like to keep its data locally (due to regulatory restrictions or network latency) while still benefitting from cloud capabilities and, perhaps sometime in the future, be able to migrate data and resources to the cloud.
Using compute services over AWS hybrid environments
Amazon offers the following services in a local deployment topology:
- AWS Outposts: A fully managed service that contains the same type of compute, storage, database, and networking capabilities that are deployed on-premises in the shape of a physical rack
- Amazon ECS Anywhere: Gives you the ability to deploy Amazon ECS on-premises (same capabilities and APIs as the cloud version)
- Amazon EKS Anywhere: Gives you the ability to deploy Amazon Kubernetes Service (EKS) on-premises (same capabilities as the cloud version)
The following are some best practices to consider:
- Connect the local service (AWS Outposts, ECS Anywhere, or EKS Anywhere) to an AWS Region close to your physical location.
- Make sure there is network connectivity between your local data center (where you deployed the preceding services locally) and the AWS Region.
- Use AWS Outposts when you would like to have AWS services (EC2, EBS, RDS, and more) deployed locally to make sure your data does not leave your data center (or your country).
- Use VPC, security groups, and Local Gateway (LGW) to restrict access between your on-premises data center resources and the resources that have been deployed inside AWS Outposts.
- Use encrypted protocols (such as TLS) between your local data center and the AWS services you've deployed locally (AWS Outposts, ECS Anywhere, and EKS Anywhere).
- Encrypt data at rest for resources that are deployed inside AWS Outposts (the same way you would do in the cloud).
- Use Amazon ECS Anywhere to deploy development environments or small-scale production ECS environments locally based on your ECS capabilities and APIs, and then burst to the cloud to have the full scale of the Amazon ECS service.
- Use Amazon EKS Anywhere to deploy development environments or small-scale production Kubernetes environments locally based on your EKS capabilities and then burst to the cloud to have the full scale of the Amazon EKS service.
- Use minimal IAM permissions for all AWS resources that are deployed locally (the same way you would do in the cloud).
- Use AWS CloudTrail to monitor the activity of all AWS resources that are deployed locally (the same way you would do in the cloud).
For more information, please refer to the following resources:
AWS Outposts User Guide: https://docs.aws.amazon.com/outposts/latest/userguide/outposts.pdf
Amazon ECS Anywhere FAQs: https://aws.amazon.com/ecs/anywhere/faqs/
Amazon EKS Anywhere FAQs: https://aws.amazon.com/eks/eks-anywhere/faqs/
Using compute services over Azure hybrid environments
Azure offers the following services in a local deployment topology:
- Azure Stack Hub: A fully managed service containing the same type of compute, storage, database, and networking capabilities that are deployed on-premises in the shape of a physical rack
- Azure Arc: A service that allows unified management of your resources – both on Azure and on-premises (configuring Azure Policy and managing VMs, Kubernetes clusters, and databases from a single console)
The following are some best practices to consider:
- Use Azure Stack Hub when you would like to have Azure services (VM, Azure Managed Disks, Azure Blob Storage, and more) deployed locally to make sure your data does not leave your data center (or your country).
- Use Azure Stack Hub's built-in network ACLs to restrict access between your on-premises data center resources and resources that are deployed inside Azure Stack Hub.
- Encrypt all data in transit using the TLS protocol when you're passing traffic between Azure Stack Hub and your local data center.
- Connect Azure Stack Hub to Azure AD or AD FS to configure minimal role-based access control to resources inside Azure Stack Hub.
- Use Microsoft Defender for Endpoint to protect VMs that are deployed inside Azure Stack Hub and make sure that you keep the antivirus up to date.
- Use Azure Arc for the following scenarios:
- Asset management for all your resources (VMs, Kubernetes, and databases)
- Centrally configuring role-based access controls for both Azure resources and on-premises resources
- Centrally configuring policies using Azure Policy, both on VMs and Kubernetes clusters
- Updating security patches on servers, both on Azure and on-premises
- Protecting your servers using Microsoft Defender for Cloud, both on Azure and on-premises
- Connecting all your servers to the Azure Sentinel SIEM service, both on Azure and on-premises
- Monitoring your servers using Azure Monitor, both on Azure and on-premises
- Protecting Kubernetes clusters using Microsoft Defender for Containers, both on Azure and on-premises
For more information, please refer to the following resources:
What is Azure Stack Hub?: https://docs.microsoft.com/en-us/azure-stack/user/user-overview
Azure Arc overview: https://docs.microsoft.com/en-us/azure/azure-arc/overview
Using compute services over GCP hybrid environments
GCP offers a service called Anthos clusters that allows you to manage and deploy Kubernetes clusters in the cloud and on-premises (based on the virtualization platform or bare metal).
The following are some best practices to consider:
- Use Anthos clusters when you wish to run a GKE cluster on-premises using the same capabilities, version, and APIs as the fully managed GKE in the cloud.
- Use a private package repository server to make sure your packages are kept secure and never leave your local data center. Make sure all the packages are using the most recent libraries and binaries.
- Use a Container Storage Interface (CSI) driver to connect the local Kubernetes cluster to storage.
- Use Google Cloud IAM to grant minimal permissions for the Kubernetes cluster to access resources.
- When you're using RHEL or CentOS, enforce the use of SELinux.
For more information, please refer to the following resource:
Anthos clusters: https://cloud.google.com/anthos/clusters/docs
Summary
In this section, we reviewed some of the alternatives to using cloud resources locally based on AWS, Azure, and GCP services. Each cloud provider takes a different approach for hybrid cloud.
AWS and Azure offer a physical rack to be deployed on-premises and can run VMs, storage, and databases. Both AWS and GCP offer solutions to allow you to deploy Kubernetes clusters on-premises with the same APIs and capabilities as the cloud version.
Securing hybrid cloud environments
When it comes to talking about securing hybrid cloud environments, we are looking for solutions that can manage your entire environment (both on-premises and in the cloud) in a centralized way.
How to secure AWS hybrid environments
AWS offers the following services for managing security in hybrid environments:
- AWS Systems Manager: This allows you to manage VMs from a compliance, patch management, and hardening perspective (central location for running scripts over hybrid environments).
- AWS Secrets Manager: A central and secured location for managing secrets (credentials, API keys, and more) over hybrid environments.
- AWS Elastic Disaster Recovery: Provides secure data replication for disaster recovery between on-premises environments and the cloud.
- Amazon CloudWatch agent: This allows you to collect OS logs from VMs in hybrid environments.
The following are some best practices to consider:
- Deploy AWS Systems Manager Agent on both EC2 instances in the cloud and on your on-premises servers (Windows or Linux).
- Use AWS Systems Manager to set a patch baseline and get notified about VMs missing security patches (afterward, you can push security patches using Systems Manager).
- Use AWS Systems Manager Agent to push audit logs from your local VMs to AWS CloudTrail. Once all the logs have been stored inside CloudTrail, you can use AWS GuardDuty to get notified about a possible breach in your hybrid environment.
- Use AWS IAM to grant minimal permissions to allow your local VMs to communicate with AWS services.
- Encrypt all traffic between your local Systems Manager agents and the AWS Systems Manager service using TLS.
- Use AWS Systems Manager Change Manager to check for configuration changes on all your VMs (both in the cloud and on-premises).
- Use AWS Secrets Manager to generate, revoke, store, and retrieve sensitive information (such as database credentials, API keys, and more) instead of storing secrets hardcoded on your VMs.
- Use CloudTrail to audit API activities of AWS Secrets Manager (such as who generates secrets, who accesses secrets, and more).
- Use AWS Elastic Disaster Recovery to build a disaster recovery solution for your on-premises VMs by replicating entire VMs to the cloud.
- Deploy Amazon CloudWatch Agent on both EC2 instances in the cloud and on your on-premises servers (Windows or Linux).
- Use Amazon CloudWatch Logs as a central log repository where you can create alerts on activities such as failed logins, security-related events from the OS security event logs, and more.
For more information, please refer to the following resources:
Setting up AWS Systems Manager for hybrid environments: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-managedinstances.html
AWS Secrets Manager Features: https://aws.amazon.com/secrets-manager/features/
AWS Elastic Disaster Recovery: https://aws.amazon.com/disaster-recovery/
Installing the CloudWatch agent on on-premises servers: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-on-premise.html
What is Amazon CloudWatch Logs?: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html
How to secure Azure hybrid environments
Azure offers the following services for managing security in hybrid environments:
- Microsoft Defender for Cloud: A service for protecting servers and clients (Windows and Linux) and SQL databases. It is also a centralized service for managing security in the cloud and on-premises.
- Azure Sentinel: A cloud-based SIEM service.
The following are some best practices to consider:
- Deploy Azure Arc and enable Microsoft Defender on all your VM that are on-premises and in the cloud.
- Deploy a Log Analytics agent on your on-premises servers to allow security information to be received inside the Microsoft Defender for Cloud console.
- Deploy Microsoft Defender for SQL on your local SQL databases.
- Use the built-in vulnerability assessment that comes with Microsoft Defender for Cloud to detect vulnerabilities in your on-premises environment and the cloud.
- Use Microsoft Defender for SQL to scan for vulnerabilities on all your SQL databases – both on-premises and in the cloud.
- Use Microsoft Defender for Containers clusters to defend all your Kubernetes clusters – both on-premises and in the cloud.
- Connect Microsoft Defender for Containers to Azure Sentinel to be able to correlate between security incidents and response to security alerts – both on-premises and in the cloud.
For more information, please refer to the following resources:
What is Microsoft Defender for Cloud?: https://docs.microsoft.com/en-us/azure/security-center/azure-defender
What is Azure Sentinel?: https://docs.microsoft.com/en-us/azure/sentinel/overview
How to secure GCP hybrid environments
GCP offers the following services for managing security in hybrid environments:
- Google Cloud Endpoints: A service for securing, monitoring, analyzing, and setting quotas for APIs – both in the cloud and on-premises
- Private Google Access: Allows private access from on-premises environments to Google APIs and services
The following are some best practices to consider:
- When you're using Google Cloud Endpoints, remember the following:
- Encrypt traffic using SSL with Extensible Service Proxy (ESP) to keep the confidentiality of sensitive information (such as credentials, PII, and more).
- Use ESP to validate authentication requests to the API backend (such as Firebase authentication, Auth0, Google ID token authentication, and more).
- If you're using API keys, restrict access to those API keys using the Service Control API.
- Use Google Cloud IAM to restrict access to APIs.
- When you need to access Google APIs or services from the on-premises environments, remember the following:
- Connect to your VPC using Cloud VPN or Cloud Interconnect.
- Redirect traffic through private.googleapis.com for APIs that do not support VPC service controls.
- Redirect traffic through restricted.googleapis.com for APIs that support VPC service controls.
- Use firewall rules to allow access from the on-premises environment to your VPC.
For more information, please refer to the following resources:
Cloud Endpoints documentation: https://cloud.google.com/endpoints/docs
Configuring Private Google Access for on-premises hosts: https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid
Summary
In this section, we reviewed several services from AWS, Azure, and GCP that allows you to have central management over your hybrid environments – both on-premises and cloud resources.
Summary
In this chapter, we focused on hybrid clouds. We reviewed the importance of having a hybrid cloud strategy to allow organizations to adopt cloud services and hybrid solutions. We also discussed the various IAM solutions from AWS, Azure, and GCP, which allow organizations to have a central directory service so that they can keep a single identity for each end user.
We looked at the various methods that AWS, Azure, and GCP use to help organizations connect their on-premises environment to the cloud in a hybrid architecture. We also discussed the various storage services that allow organizations to transfer data to the cloud. Then, we dived into various compute services that allow organizations to control all their compute needs using the same technology and capabilities – both on-premises and in the cloud.
Finally, we reviewed several services from AWS, Azure, and GCP that allow organizations to achieve a single pane of glass for managing security both on-premises and in the cloud.
Understanding the topics mentioned in this chapter will provide organizations with the necessary tools for when they build a hybrid cloud architecture.
In the next chapter, we will review multi-clouds (including identity management, vulnerability and patch management, configuration management, monitoring, and network security-related topics).