Common Technology Services (CTS)
DRAFT
Connecting your network to a cloud service
Â
Connect directly to cloud providers to improve speed, reliability and security of access to cloud services.
Decide what type of peering you want
This guidance from Common Technology Services is not intended to inform your organisation's buying decisions. Government Digital Service (GDS) does not recommend specific products.
Read this guidance to:
- learn how government departments can connect their networks to cloud providers
- find out what services are provided centrally to help departments connect to cloud providers - in particular public IP addresses and public autonomous system numbers (ASNs)
- understand when to use standard internet connectivity and when to use dedicated connection
- find the right way to connect to a cloud service to ensure you get the right service levels and commercial terms
In some cases, organisations need to enhance their existing internet connectivity and use peering. Peering is when you voluntarily interconnect networks that are administratively separate, to exchange traffic directly between the users of each network. To initiate peering with one or more other networks, you need to enable a physical path between them and then exchange routing information using the Border Gateway Protocol (BGP).
Â
In public peering, the participating networks interconnect over a public exchange point. In private peering, the participating networks interconnect over a private exchange point.
Decide what type of peering you want
For public peering, you need to:
- advertise a public IP prefix to the cloud provider along with an ASN
- use the service provider’s requirements to determine whether an organisation needs a public ASN to peer with a cloud service
- register public ASNs to the end user organisation on an internet registry (RIPE) so that cloud providers can check public prefix ownership
Â
You can request provider independent IP addressing and public ASNs from the Public Services Network (PSN) team.Â
For private peering, you need to use a private ASN with RFC 1918 addresses.
Consider connectivity options
You can connect to a cloud provider over the internet through public peering or with a dedicated private connection, depending on the cloud provider’s requirements. Â
Cloud providers use specific partners to install private connections. Ask your cloud provider for their approved list of service providers. Relevant service providers are available online for:
Private network connections to cloud providers offer:
- dedicated and consistent bandwidth to the cloud provider
- a known connectivity path
- advanced network traffic management features such as quality of service (QoS)q for realtime services
Option 1: Wide area network extension
It is possible to connect the cloud provider directly to the wide area network (WAN). Consider the security of this solution - the cloud provider could have access to every connected site, including offices and datacentres, within the organisation.
In the following diagram a cloud provider is directly connected to an organisation’s WAN with a firewall used to control access to the WAN and any corporate services connected to the WAN.
Option 2: private connectivity
In the following diagram a cloud provider is connected to an organisation’s WAN with 2 connections to provide resilience. Access to the WAN is controlled by firewalls and network traffic can fail over from one link to the other without affecting the performance of the cloud services.   Â
Option 3: hybrid connectivity
Different cloud providers offer access to different products over different connectivity solutions. Check with the cloud provider which data is sent over the private connection and which data is sent over the internet.
For example, an application’s dynamic data could be sent over a dedicated private connection, but static content over an internet connection using a content delivery network (CDN). Having a private connection does not mean that all the data will be sent over it. Â
The following diagram outlines a hybrid of direct peering connectivity and internet connectivity. The organisation will connect to different services using the different types of connectivity. The internet link provides some resilience in the event of a connection failure.
Resilience
Consider how to make the connections resilient by having:
- multiple connections
- connections in different physical locations
Traffic path selection
Organisations should determine which paths they use to access the cloud provider by changing the BGP attributes applied to their edge routers.
You can alter the path taken for:
- outbound traffic by changing the local preference attribute to each link, in order to favour one path over the other to the cloud provider - network traffic will use the path with the highest local preference
- inbound traffic by prepending the AS_PATH attribute on outbound route advertisements to influence traffic flow from the cloud provider back into the department’s network - network traffic will use the shortest AS path
Security controls
Â
Evaluate cloud architecture to meet your security requirements.
Â
Consider:
- the architecture of your perimeter network
- the type of connectivity to the cloud provider and its impact on existing security
- which features are available from the cloud provider to build the perimeter network
- how to protect back-end workloads
- how to control the flow of traffic to the workloads in the cloud provider
- how to protect on-premise networks from deployments in the cloud provider
- when to use the native security features of the cloud provider instead of third-party appliances or services
Â
Most networks operate a perimeter model with security devices such as firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS).
Â
Before leaving the network, traffic from cloud based workloads flows through the security appliances in the perimeter network for policy enforcement, inspection, and auditing purposes. The perimeter network should operate perimeter controls between the cloud networks and the on-premise networks.
Â
Even with peered connectivity, it is still advisable to authorise different individuals to access the perimeter network security infrastructure and be application development, deployment, or operations administrators. Keeping these groups separate prevents a single person from bypassing both application security and network security controls.
Choose a cloud provider
When evaluating the connection to the cloud provider, consider:
- your technical prerequisites for connection
- the number of routes you need to exchange with the cloud provider
- who is initiating a connection
- your ability to control and monitor traffic
- your ASN requirements for peering (such as private or public ASNs)
Find out if:
- it’s possible to authenticate BGP sessions
- the cloud provider allows internet access via the private connection
- you can access the cloud service directly using RFC 1918Â addressingÂ
- network address translation (NAT) is required and what the impacts are
- there are any data transfer limits
- it’s possible to burst traffic over the contracted bandwidth and to what level traffic bursting is allowed
Consider:
- which features and services the cloud provider can support for a particular connection and peering types
- the resiliency options the cloud provider offers and whether there is enough separation (logical and physical) to satisfy the organisation’s risk appetite
- whether you can access multiple services over the same link
- whether you should advertise a default route and the impact on services you consume
- whether the cloud provider encrypts data in transit
Find out if the cloud provider supports:
Â
When evaluating the location of the cloud provider, consider:
- peering point locations
- whether there are enough peering points to provide appropriate resilience
- which country the data is stored in and is it acceptable to the organisation for a particular type of OFFICIAL data
Â
When evaluating the service of the cloud provider, consider:
- the likelihood and impact of a loss of service
- the minimum service level agreement (SLA) to meet your requirements
- what happens if an SLA is breached and the level of compensation the cloud provider offers
- the type of billing model, for example metered or unlimited data, and how easy is it to switch between billing models
When purchasing peered connectivity, consider:
- the type and volume of data being moved and from which locations - vendors have different charges for data depending on whether data is going in or out
- whether you need to cross charge any connectivity costs within your organisation - providers can subdivide bills to match project and department funding modelsÂ
Consider your exit strategy
Â
Before entering into a contract, think about the exit implications. Consider:
- who owns the assets and licenses
- who owns the configuration
- how to retrieve the data
- what format the data will be in once retrieved
- how much it will cost to retrieve the data
- how long it will take to retrieve the data
Read more on this topic
To find out how to control and secure your users when accessing cloud services over the internet then read:
- delivering cloud based proxy and filter services
E​mail contact.cts@digital.cabinet-office.gov.uk to​:
- join the CTS review group
- provide feedback on CTS guidance
- submit ideas for solutions
- discuss ​how this guidance will help you use technology more efficiently and effectively​​
Return to the Common Technology Services page.