To help address the challenges, this blog post attempts to answer some common questions by providing a summary of key concepts and approaches that enterprises adopt for connecting IBM application workloads to other clouds. Use the article as a guide to evaluate and determine the best options and connectivity offerings that fit your use case:
- Why are regulated workload components spread across multiple clouds?
- What are the typical workloads that require multicloud connectivity?
- How are IBM Cloud regulated workloads set up and connected to other clouds?
- What are the different ways multicloud workloads can connect and communicate?
1. Why are regulated workload components spread across multiple clouds?
Enterprises in regulated industries have complex business processes (e.g., insurance underwriting, claims processing, payment processing, fraud detection, medical data processing, etc.) and numerous other automated and semi-automated workflows that drive business functions. Modernizing these processes typically requires a combination of specialized best-of-breed vendor services or application offerings that may not all exist on the same cloud.
Many home-grown custom applications continue to operate on-premises on private cloud networks, separating them from dependent components running on other clouds. Additionally, enterprises often partner with managed service providers that have a centralized cloud location but must access resources distributed across multiple clouds. Utilizing different clouds for running the workloads is also often a strategic choice to meet compliance requirements, reduce vulnerability to outages and lower the risk of vendor lock-in.
2. What are the typical workloads that require multicloud connectivity?
Workloads that require multicloud connectivity can be categorized based on high-level use cases and types of data that are exchanged across clouds. Broadly, the categories include the following:
- Application data exchange: Client/server communication between application components across clouds (e.g., via RESTful APIs) to exchange data and complete synchronous or asynchronous transactions.
- Batch data transfer: Ad-hoc or scheduled batch data transfers between clouds for analytical processing, archiving, AI training or data migration.
- Administration access: Administrative remote access and communication between hosts on a cloud network and managed systems residing on other clouds, often part of managed services and third-party administration contracts.
- Monitoring and tooling data transfer: Real-time or non-real-time transfer of logs and/or performance and security monitoring data from systems across multiple clouds to a centralized collection and management system on a different cloud.
- Data replication: Real-time or non-real-time batch exchange of data between systems and components for replication for HA, DR, etc.
Depending on the complexity of the application, the enterprise deployments have a combination of the above workloads. Knowing the use cases and characteristics of the data exchanges across clouds are key factors for evaluating viable options for connecting the workload components.
3. How are IBM Cloud regulated workloads set up and connected to other clouds?
On IBM Cloud, enterprises with insurance and banking workloads often follow the VPC-based reference architecture from IBM Cloud for Financial Services. IBM Cloud for Financial Services provides security and controls built into the platform, automates security and compliance posture, and simplifies risk management for regulatory compliance.
Multicloud application workloads running on IBM Cloud for Financial Services VPCs connect and exchange data with applications or services running on VPCs or Software-as-a-Service (SaaS) offerings on other clouds. To enable this connectivity, enterprises choose from the cloud provider’s service offerings to enable access to and from VPCs to other clouds or networks:
IBM Cloud VPC connectivity service offerings are Financial Services Validated, ensuring compliance to the controls of the IBM Cloud Framework for Financial Services. The Site-to-Site VPN offering provides secure connectivity over the public internet, while Direct Link Connect and Direct Link Dedicated offerings provide secure and private connectivity leveraging existing partnerships with over 45 global service providers. These capabilities from IBM Cloud build trust and enable a transparent public cloud ecosystem with the features for security, compliance and resiliency that financial and other regulated institutions require.
4. What are the different ways multicloud workloads can connect and communicate?
There are three main approaches to establish connectivity between workloads running across different cloud providers:
- Over the public internet.
- Through connectivity partner networks.
- Direct connectivity at the data center facility.
Below is a description of the approaches and the associated IBM Cloud offerings:
Connectivity over public internet using public interfaces: One of the most common ways is application-to-application communication and connection by using secure public interfaces on the internet (e.g., public API endpoints or TCP host/ports exposed from custom applications, SaaS public API endpoints, etc.). While limited in the scope of use cases it can support, this approach is simple and frequently used because it requires no special networking resources other than public internet connectivity to and from the VPC. IBM Cloud Public Gateway and API Connect offerings provide the capabilities to utilize public interfaces and establish connectivity with services on another peer cloud:
Connectivity over the public internet using virtual private networks (VPNs): Another connectivity option over the public internet is virtual private network-to-network connectivity (i.e., virtual private networks (VPNs)). IBM Client-to-Site VPN enables connecting a host running on any cloud to an IBM Cloud VPC. IBM Site-to-Site VPN enables connectivity between an IBM Cloud VPC to a VPC on another peer cloud:
Connectivity through provider networks: A more comprehensive approach that provides private network-to-network connectivity is connecting the cloud VPC networks through a connectivity provider partner network. The IBM Cloud Direct Link Connect offering has pre-established partnerships with various network service providers that are also connected to the other clouds. It is a multi-tenant offering and provides secure and private connectivity of IBM Cloud VPCs to other peer cloud VPCs:
Direct connectivity at co-location data center facility: The most direct option for connecting the workloads is direct physical connectivity of the networks at a data center facility provider that has co-located IBM Cloud and another peer cloud. The IBM Cloud Direct Link Dedicated offering has pre-established partnerships with various co-location facilities and provides direct, secure and private single-tenant physical connectivity with other cloud networks.
An important step in adopting one or more of the above approaches for an enterprise multicloud workload is to evaluate the offerings available from IBM Cloud and the peer cloud providers. Selecting a viable offering requires an evaluation of various factors in terms of short- and long-term strategic goals and technical requirements.
To conclude, enterprises in regulated industries can adopt the VPC-based reference architecture from IBM Cloud for Financial Services to securely connect multicloud application workloads on IBM Cloud to other clouds and on-premises networks. Leveraging offerings like IBM Site-to-Site VPN to connect over public internet or IBM Direct Link for private network connectivity with a choice of over 45 global service providers, enterprises have various options to select connectivity offerings that are best suited to meet their business and technical requirements.Learn more about IBM Cloud for Financial Services
The next blog post provides a comparative description of the key factors to evaluate and ensure reliable and cost-effective connectivity between the clouds.