Cloud exchanges designed for WAN connections to public clouds

Emerging cloud exchanges offer access to multiple cloud services via WAN links with the benefits of better security and network performance than the public Internet.

Editor's note: This article on the development of cloud exchanges for enterprises that want to securely connect to public clouds is the second in our series on the evolution of network services to meet the changing needs of enterprise IT. Part one of the series looked at the increasing number of WAN access options. Coming soon, the final article in this series will look at network on-demand services.

One of the major attractions of public cloud services is the "public" part. Anyone can use them by signing up online. But two things still impede the adoption of public cloud services in many situations. The first is security, because a public Internet path between the user and the cloud service is uncontrolled and unmonitored. The second is poor network performance problems resulting from the variability of the path and traffic conditions along the way.

Nearly every organization uses at least one software as a service offering, and an increasing number even rely on SaaS to provide strategic, mission-critical functions. More than half also use some variety of public cloud infrastructure as a service offerings, most often Amazon Web Services (AWS) or Microsoft Azure. Still, to promote public cloud use, one solution was to get the public Internet out of the loop. For several years, this was accomplished by special arrangement, mostly between large enterprises and cloud providers. The enterprise could establish a point of presence in a data center where the cloud provider had some infrastructure, then pay to have Ethernet pulled from one of its routers to a cloud provider's router.

By connecting edge to edge, all the variability and risk of traversing the public Internet is removed from the equation. Over time, cloud providers standardized this in product offerings like AWS Direct Connect or Microsoft Azure ExpressRoute.

In the last few years, the newest alternative in giving enterprises a more secure, higher performance connection to public clouds is the creation of cloud exchanges where enterprises can easily connect their WANs to multiple cloud provider networks.

How cloud exchanges work

In this emerging model, the cloud exchange provider connects its network to a variety of cloud provider networks. The exchange enables any number of enterprises to connect on the other side via a WAN link. So, once enterprises have established credentials with any of the cloud providers at the exchange, they can spin up virtual circuits to connect from the cloud exchange to the public cloud instead of using direct physical links of their own. None of the traffic goes over the public Internet.

Cloud exchange providers can include traditional carriers like AT&T, CenturyLink and Verizon; network as a service providers like Aryaka; and data center hosting providers like Equinix.

With a cloud exchange, enterprises can eliminate one-to-one dedicated physical links to cloud providers and instead connect their WANs to cloud providers that the whole enterprise can use via exchange connections. Users in branches wanting to work on Salesforce, for example, would have their traffic flow back through the WAN to the exchange, and through the exchange to Salesforce without it ever touching the public Internet.

The only scenario where the WAN isn't connecting physically is if the enterprise uses a data center-centric offering like that offered by Equinix. In that case, the organization has to have a point of presence in one of the Equinix data centers to use it. It can be a WAN router or just a stack of enterprise servers, in which case organizations still get the benefit of a direct connection to a variety of cloud providers.

The use of cloud exchanges seems somewhat at odds with the increasingly popular Internet-only and direct Internet access branch networking models, but they aren't mutually exclusive.

For a branch with an Internet link only -- perhaps using it via a software-defined WAN to connect back to the enterprise WAN -- the cloud exchange still provides access to cloud providers with greater security, and possibly with more consistent performance, thanks to SD-WAN traffic management. For a branch with both dedicated multiprotocol label switching and direct Internet access, traffic bound for cloud providers linked through the cloud exchange can be routed on the WAN link for security, and traffic bound for other destinations can be sent out directly.

The goals of a cloud exchange service are to provide more secure connections to and more consistent performance from public cloud services to reduce business and operational risks. By cutting the public Internet out of the public cloud equation, cloud exchanges are expanding the range of options available to organizations that can't otherwise get the performance they need, or the sense of security they want when using cloud services.

Next Steps

Find alternatives for connecting to the cloud

Secure, dedicated networks are a priority for public clouds

Vendors offer dedicated network links to the cloud

How to determine AWS connectivity issues

Interconnect vendors simplify direct cloud connections

This was last published in March 2016

Dig Deeper on Cloud Networking