Site-to-Cloud Connection

• Site-to-cloud connectivity enables organizations to extend their on-premises networks to cloud service providers (CSPs) like AWS, Azure, or Google Cloud
• Creates hybrid cloud architectures where workloads can span both physical data centers and cloud environments
• Provides consistent network policies, security, and management across hybrid infrastructure

Connection Types

VPN-Based Connections:

• IPSec VPN tunnels establish encrypted connections over public internet
• Site-to-Site VPN connects entire networks (not individual users)
• Cost-effective but dependent on internet quality and bandwidth
• Typical throughput: 10 Mbps to 1 Gbps depending on internet connection

Dedicated Private Connections:

• Direct physical circuits bypass public internet entirely
• AWS Direct Connect, Azure ExpressRoute, Google Cloud Interconnect
• Provides predictable bandwidth, lower latency, and enhanced security
• Typical speeds: 50 Mbps to 100 Gbps with SLA guarantees

Software-Defined WAN (SD-WAN):

• Orchestrates multiple connection types (MPLS, broadband, LTE)
• Application-aware routing optimizes traffic paths based on requirements
• Centralized policy management across all sites and cloud connections

Architecture Components

BGP in Cloud Connectivity

• Border Gateway Protocol (BGP) is the standard for cloud connections
• Enables dynamic route advertisement between on-premises and cloud networks
• AS Numbers (ASN) identify routing domains - CSPs have public ASNs, enterprises typically use private ASNs (64512-65534)
• Route filtering prevents unwanted route advertisements (security concern)

BGP Configuration Example:

• Customer ASN: 65001 (private)
• AWS ASN: 7224 (public)
• Advertised prefixes: 192.168.0.0/16 (on-premises) ↔ 10.0.0.0/16 (AWS VPC)

Security Considerations

• Encryption in transit protects data crossing public networks (IPsec, TLS)
• Network segmentation isolates different workload types (DMZ, internal, management)
• Identity federation extends on-premises authentication to cloud resources
• Firewall rules must account for cloud-specific traffic patterns (east-west traffic)

Common Security Zones:

• Public subnet: Internet-facing resources (load balancers, NAT gateways)
• Private subnet: Application servers, databases
• Management subnet: Administrative access, monitoring tools

Quality of Service (QoS)

• Traffic classification ensures critical applications receive priority
• Voice/video typically requires <150ms latency, <1% packet loss
• Cloud backup traffic can use lower priority classes
• DSCP markings preserve QoS across network boundaries when supported

Notes

• Bandwidth planning should account for 20-30% overhead for protocol encapsulation and burst traffic
• Multiple connection types provide redundancy - primary direct connect with VPN backup is common
• Cloud egress charges can be significant - design data flows to minimize unnecessary cloud-to-internet traffic
• Consider latency requirements: direct connections typically provide 10-50ms lower latency than VPN over internet
• Route summarization reduces routing table size and improves convergence times
• Test failover scenarios regularly - cloud connections may fail differently than traditional WAN links
• Monitor connection utilization - cloud providers often charge for committed bandwidth whether used or not
• DNS resolution strategy impacts performance - consider split-brain DNS or cloud-hosted DNS for hybrid environments