Hybrid Cloud Networking
Configure secure, high-performance connectivity between on-premises and cloud environments using VPN, Direct Connect, and ExpressRoute.
Purpose
Establish secure, reliable network connectivity between on-premises data centers and cloud providers (AWS, Azure, GCP).
When to Use
- •Connect on-premises to cloud
- •Extend datacenter to cloud
- •Implement hybrid active-active setups
- •Meet compliance requirements
- •Migrate to cloud gradually
Connection Options
AWS Connectivity
1. Site-to-Site VPN
- •IPSec VPN over internet
- •Up to 1.25 Gbps per tunnel
- •Cost-effective for moderate bandwidth
- •Higher latency, internet-dependent
hcl
resource "aws_vpn_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = {
Name = "main-vpn-gateway"
}
}
resource "aws_customer_gateway" "main" {
bgp_asn = 65000
ip_address = "203.0.113.1"
type = "ipsec.1"
}
resource "aws_vpn_connection" "main" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.main.id
type = "ipsec.1"
static_routes_only = false
}
2. AWS Direct Connect
- •Dedicated network connection
- •1 Gbps to 100 Gbps
- •Lower latency, consistent bandwidth
- •More expensive, setup time required
Reference: See references/direct-connect.md
Azure Connectivity
1. Site-to-Site VPN
hcl
resource "azurerm_virtual_network_gateway" "vpn" {
name = "vpn-gateway"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
type = "Vpn"
vpn_type = "RouteBased"
sku = "VpnGw1"
ip_configuration {
name = "vnetGatewayConfig"
public_ip_address_id = azurerm_public_ip.vpn.id
private_ip_address_allocation = "Dynamic"
subnet_id = azurerm_subnet.gateway.id
}
}
2. Azure ExpressRoute
- •Private connection via connectivity provider
- •Up to 100 Gbps
- •Low latency, high reliability
- •Premium for global connectivity
GCP Connectivity
1. Cloud VPN
- •IPSec VPN (Classic or HA VPN)
- •HA VPN: 99.99% SLA
- •Up to 3 Gbps per tunnel
2. Cloud Interconnect
- •Dedicated (10 Gbps, 100 Gbps)
- •Partner (50 Mbps to 50 Gbps)
- •Lower latency than VPN
Hybrid Network Patterns
Pattern 1: Hub-and-Spoke
code
On-Premises Datacenter
↓
VPN/Direct Connect
↓
Transit Gateway (AWS) / vWAN (Azure)
↓
├─ Production VPC/VNet
├─ Staging VPC/VNet
└─ Development VPC/VNet
Pattern 2: Multi-Region Hybrid
code
On-Premises
├─ Direct Connect → us-east-1
└─ Direct Connect → us-west-2
↓
Cross-Region Peering
Pattern 3: Multi-Cloud Hybrid
code
On-Premises Datacenter
├─ Direct Connect → AWS
├─ ExpressRoute → Azure
└─ Interconnect → GCP
Routing Configuration
BGP Configuration
code
On-Premises Router: - AS Number: 65000 - Advertise: 10.0.0.0/8 Cloud Router: - AS Number: 64512 (AWS), 65515 (Azure) - Advertise: Cloud VPC/VNet CIDRs
Route Propagation
- •Enable route propagation on route tables
- •Use BGP for dynamic routing
- •Implement route filtering
- •Monitor route advertisements
Security Best Practices
- •Use private connectivity (Direct Connect/ExpressRoute)
- •Implement encryption for VPN tunnels
- •Use VPC endpoints to avoid internet routing
- •Configure network ACLs and security groups
- •Enable VPC Flow Logs for monitoring
- •Implement DDoS protection
- •Use PrivateLink/Private Endpoints
- •Monitor connections with CloudWatch/Monitor
- •Implement redundancy (dual tunnels)
- •Regular security audits
High Availability
Dual VPN Tunnels
hcl
resource "aws_vpn_connection" "primary" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.primary.id
type = "ipsec.1"
}
resource "aws_vpn_connection" "secondary" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.secondary.id
type = "ipsec.1"
}
Active-Active Configuration
- •Multiple connections from different locations
- •BGP for automatic failover
- •Equal-cost multi-path (ECMP) routing
- •Monitor health of all connections
Monitoring and Troubleshooting
Key Metrics
- •Tunnel status (up/down)
- •Bytes in/out
- •Packet loss
- •Latency
- •BGP session status
Troubleshooting
bash
# AWS VPN aws ec2 describe-vpn-connections aws ec2 get-vpn-connection-telemetry # Azure VPN az network vpn-connection show az network vpn-connection show-device-config-script
Cost Optimization
- •Right-size connections based on traffic
- •Use VPN for low-bandwidth workloads
- •Consolidate traffic through fewer connections
- •Minimize data transfer costs
- •Use Direct Connect for high bandwidth
- •Implement caching to reduce traffic
Reference Files
- •
references/vpn-setup.md- VPN configuration guide - •
references/direct-connect.md- Direct Connect setup
Related Skills
- •
multi-cloud-architecture- For architecture decisions - •
terraform-module-library- For IaC implementation