Cloud Networking

Despite the cloud's transformative potential, most enterprises don't operate exclusively in public cloud. Legacy systems, regulatory constraints, data gravity, and specialized hardware requirements keep workloads running on-premises. Hybrid cloud is the architectural approach that spans both worlds, enabling organizations to leverage cloud benefits while maintaining necessary on-premises presence.

Hybrid cloud isn't merely "some things on-premises, some things in cloud." True hybrid architecture creates a cohesive operating environment where workloads can move between environments, data flows seamlessly, management is unified, and security policies apply consistently. Achieving this cohesion requires deliberate design across networking, identity, data management, and operations.

This page explores hybrid cloud architecture in depth: the driving forces, design patterns, networking requirements, data synchronization strategies, identity federation, and the operational practices that make hybrid environments manageable rather than chaotic.

Understanding why organizations adopt hybrid cloud informs how to architect it effectively. Hybrid isn't a compromise or intermediate step—it's often the optimal permanent architecture.

Key Drivers for Hybrid Cloud

1. Regulatory and Compliance Requirements

Certain industries (finance, healthcare, government) face regulations requiring data residency, audit controls, or air-gapped environments that public cloud cannot easily satisfy. Sensitive workloads remain on-premises while less regulated workloads leverage cloud.

2. Data Gravity

Large datasets are expensive and slow to move. If you have petabytes of data in an on-premises data warehouse, moving analytics workloads to cloud while data remains on-premises incurs massive egress costs and latency. Processing should happen where data resides.

3. Specialized Hardware

Mainframes, HPC clusters, dedicated AI accelerators, or industrial control systems may not have cloud equivalents. These workloads stay on-premises while commodity workloads move to cloud.

4. Legacy Application Dependencies

Monolithic applications with deep integrations to on-premises systems (databases, mainframes, network file shares) can't easily migrate. Hybrid architectures allow cloud-native frontends to connect to legacy backends.

5. Cost Optimization

Predictable, steady-state workloads may be cheaper to run on owned hardware. Burst capacity and variable workloads benefit from cloud elasticity. Hybrid enables cost optimization across workload types.

6. Business Continuity

Using cloud as disaster recovery for on-premises reduces infrastructure duplication. Hybrid architectures can fail over between environments.

Pattern Deep Dive: Cloud Bursting

Cloud bursting extends on-premises capacity during demand spikes:

Architecture:

                Normal Load                    Peak Load
                ───────────                    ─────────
┌─────────────────────────────┐    ┌─────────────────────────────┐
│      On-Premises            │    │      On-Premises            │
│   ┌─────────────────┐       │    │   ┌─────────────────┐       │
│   │ Web Servers (5) │       │    │   │ Web Servers (5) │       │
│   └─────────────────┘       │    │   └────────┬────────┘       │
│         ▲                   │    │            │  Burst         │
│         │                   │    │            ▼                │
│   Load Balancer             │    │   ┌─────────────────┐       │
│                             │    │   │ Cloud Instances │       │
└─────────────────────────────┘    │   │     (Auto-scale)│       │
                                   │   └─────────────────┘       │
                                   └─────────────────────────────┘

Requirements:

• Low-latency connectivity between on-premises and cloud
• Stateless application tier (sessions externalized)
• Consistent deployment artifacts (containers, images)
• Global load balancing capability

Challenges:

• Data access latency when cloud instances access on-premises databases
• Licensing for commercial software in cloud
• Network bandwidth during burst activation

Networking is the foundation of hybrid cloud. Without reliable, secure connectivity between on-premises and cloud, hybrid architectures fail. This section synthesizes connectivity options (covered previously) into complete hybrid network designs.

Hybrid Network Design Principles

1. Treat Connectivity as Critical Infrastructure

Connectivity isn't an afterthought—it's as critical as compute or storage. Design for resiliency, monitor actively, and plan for failures.

2. Establish Consistent IP Addressing

Use non-overlapping RFC 1918 ranges across all environments. Document allocations centrally. This enables routing between any environment without NAT complexity.

3. Use Dynamic Routing (BGP)

Static routes are fragile. BGP enables automatic failover, multi-path routing, and simplified route management. Invest in BGP capability for on-premises equipment.

4. Encrypt All Inter-Environment Traffic

Even over "private" dedicated connections, treat traffic as potentially observable. IPsec overlay on Direct Connect provides encryption without internet exposure.

5. Centralize Egress and Inspection

Route outbound internet traffic through shared egress points with consistent security controls, whether traffic originates on-premises or in cloud.

Transit Gateway-Based Hybrid Architecture

AWS Transit Gateway (and equivalents) centralizes hybrid connectivity:

Attachments:

1. VPN Attachment: Site-to-Site VPN connection from on-premises
2. Direct Connect Gateway Attachment: Dedicated circuit(s)
3. VPC Attachments: All workload VPCs
4. Peering Attachments: Cross-region Transit Gateway peering

Route Tables:

Create separate route tables for different traffic policies:

Transit Gateway Route Tables:

Production RT:
  10.0.0.0/8    → blackhole (prevent dev reaching prod)
  172.16.0.0/12 → dxgw-attachment (on-premises)
  10.100.0.0/16 → vpc-prod-attachment (production VPC)
  0.0.0.0/0     → vpc-egress-attachment (centralized egress)

Development RT:
  10.0.0.0/8    → blackhole
  172.16.0.0/12 → vpn-attachment (on-premises via VPN only)
  10.200.0.0/16 → vpc-dev-attachment (development VPC)
  0.0.0.0/0     → vpc-egress-attachment

On-Premises RT:
  10.100.0.0/16 → vpc-prod-attachment
  10.200.0.0/16 → vpc-dev-attachment
  0.0.0.0/0     → blackhole (no internet via cloud)

This ensures:

• Production and development are isolated from each other
• On-premises can reach both environments
• All internet egress routes through inspection

Hybrid DNS Strategy

DNS resolution must work seamlessly across environments. Clients in cloud resolve on-premises names; clients on-premises resolve cloud names.

Implementation:

1. Cloud → On-Premises Resolution

   • Route 53 Resolver Outbound Endpoints (AWS)
   • Forward queries for on-premises domains to on-premises DNS servers
   • Traffic flows over VPN/Direct Connect

2. On-Premises → Cloud Resolution

   • Route 53 Resolver Inbound Endpoints
   • On-premises DNS conditionally forwards cloud domains to endpoint IPs
   • Endpoints must be reachable from on-premises (private IPs, routed via VPN/DX)

3. Split-Horizon DNS

   • Same domain (e.g., example.com) resolves differently based on client location
   • On-premises clients get on-premises IPs for internal services
   • Cloud clients get cloud IPs
   • Useful for services that exist in both locations

AWS Route 53 Resolver Rules Example:

Outbound Rule: corp.internal → 172.16.1.10, 172.16.1.11
  (Forward on-premises domain queries to on-premises DNS)

Outbound Rule: legacy.acme.com → 172.16.1.10
  (Forward legacy application domain to on-premises)

Default: Public DNS resolution via AWS

Data is the most challenging aspect of hybrid cloud. Unlike compute (which can move relatively easily), data has gravity—moving large datasets is expensive, slow, and risky. Hybrid data strategies must address synchronization, consistency, and access patterns.

Data Placement Strategies

Keep Data Where It's Consumed:

Minimize cross-environment data access. If analytics runs in cloud, replicate data to cloud. If transactions process on-premises, keep transactional data on-premises.

Separate Operational and Analytical Data:

Operational databases (OLTP) require low latency and consistency—keep them near processing. Analytical workloads tolerate replication lag; move copies to cloud for analytics.

Cache Strategically:

Rather than accessing on-premises data from cloud, cache frequently accessed data in cloud. Redis, Memcached, or read replicas reduce cross-environment traffic.

Data Replication Services

Cloud providers offer managed services for hybrid data replication:

AWS:

• Database Migration Service (DMS): Continuous replication from on-premises databases to RDS/Aurora
• DataSync: Accelerated transfer for file/object data to S3/EFS
• Storage Gateway: On-premises appliance providing cloud-backed storage

Azure:

• Azure Migrate: Database replication during migration
• Azure File Sync: Synchronize on-premises file shares with Azure Files
• Azure Data Box: Physical appliances for large data transfer

GCP:

• Database Migration Service: Replication to Cloud SQL, AlloyDB
• Transfer Service: Move data from on-premises to Cloud Storage
• Transfer Appliance: Physical device for massive datasets

Data Consistency Challenges

Scenario: Customer Data in Both Environments

Customer record exists in on-premises CRM and cloud commerce platform. Updates can occur in either location.

Challenges:

• Which is the source of truth?
• How do updates propagate?
• What happens during connectivity outages?
• How are conflicts resolved?

Solutions:

1. Single Source of Truth + Replication

   • Designate one system as primary
   • Changes flow outward via CDC or events
   • Other systems are read replicas

2. Event-Driven Integration

   • Both systems publish events to central broker (Kafka, EventBridge)
   • Each system subscribes to relevant events
   • Eventual consistency across systems

3. API Gateway Abstraction

   • API layer routes queries to authoritative system per data type
   • Applications query API, not individual systems
   • Centralized logic handles cross-system operations

Hybrid cloud multiplies security complexity. Users, applications, and services must authenticate and authorize across environments. Consistent security policies must span on-premises firewalls and cloud security groups. Audit trails must provide unified visibility.

Identity Federation

Federation allows on-premises identities to access cloud resources without maintaining separate cloud accounts.

SAML 2.0 Federation:

• On-premises Identity Provider (IdP): Active Directory Federation Services (ADFS), Okta, etc.
• Cloud acts as Service Provider (SP)
• Users authenticate to IdP; receive SAML assertion; exchange for cloud credentials

Example: AWS IAM + ADFS

┌───────────────────────────────────────────────────────────────┐
│ 1. User accesses AWS Console                                  │
│ 2. AWS redirects to ADFS (on-premises)                       │
│ 3. User authenticates (Kerberos/password)                     │
│ 4. ADFS issues SAML assertion with roles                      │
│ 5. User returns to AWS with SAML assertion                    │
│ 6. AWS STS exchanges SAML for temporary credentials           │
│ 7. User accesses AWS resources with assumed role              │
└───────────────────────────────────────────────────────────────┘

Azure AD Hybrid Join:

• Workstations join both on-premises AD and Azure AD
• Seamless SSO to both cloud and on-premises applications
• Azure AD Connect synchronizes identities

Workload Identity:

For machine-to-machine authentication (cloud app calling on-premises API):

• Service accounts or certificates rather than user identities
• Short-lived tokens where possible
• Secrets stored in cloud secret managers (Secrets Manager, Key Vault)

Unified Security Policy

The goal: equivalent security posture regardless of workload location.

Policy Consistency Approaches:

1. Infrastructure as Code Parity

   • Define security policies in code (Terraform, Ansible)
   • Apply to both on-premises (VMware NSX, physical firewalls) and cloud
   • Drift detection alerts on policy deviation

2. Cloud Security Posture Management (CSPM)

   • Continuous compliance scanning across cloud accounts
   • Alert on misconfigurations (public S3, open security groups)
   • Some products cover on-premises VMware environments

3. Centralized Logging and SIEM

   • Forward cloud logs (VPC Flow Logs, CloudTrail, Activity Logs) to central SIEM
   • Correlate events across environments
   • Single pane of glass for security operations

Zero Trust in Hybrid Environments

Zero Trust assumes no implicit trust based on network location. Every access request is verified regardless of source.

Hybrid Zero Trust Principles:

• Authenticate every request (user and workload identity)
• Authorize based on context (identity, device health, location, sensitivity)
• Encrypt all connections (even "internal" traffic)
• Continuously validate (session not infinitely trusted)
• Assume breach (design for containment)

Operating hybrid cloud infrastructure requires unified tooling, consistent practices, and skilled teams. Without operational maturity, hybrid becomes "worst of both worlds"—complexity without corresponding benefit.

Unified Observability

Observability must span both environments with consistent metrics, logs, and traces.

Centralized Monitoring:

• Cloud agents (CloudWatch agent, Azure Monitor agent) report to cloud monitoring
• On-premises infrastructure feeds Prometheus, Telegraf, or similar exporters
• Central dashboard (Grafana, Datadog, Dynatrace) aggregates all sources

Distributed Tracing:

• Applications emit trace data (OpenTelemetry, Jaeger, X-Ray)
• Traces span on-premises and cloud components
• Visualize request flow across environment boundaries

Alerting Consolidation:

• PagerDuty, Opsgenie, or equivalent receives alerts from all monitoring systems
• Runbooks reference both on-premises and cloud troubleshooting procedures
• On-call teams equipped to handle issues in any environment

Consistent Deployment Practices

CI/CD Spanning Environments:

Pipelines deploy to both on-premises (Kubernetes clusters, VMs) and cloud (EKS, EC2, Lambda). Deployments use same artifacts regardless of target.

┌──────────────────────────────────────────────────────────────┐
│                     CI/CD Pipeline                            │
│                                                               │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐       │
│  │ Build       │───►│ Test        │───►│ Package     │       │
│  │             │    │             │    │ (Container) │       │
│  └─────────────┘    └─────────────┘    └──────┬──────┘       │
│                                               │              │
│                                     ┌─────────┴─────────┐    │
│                                     │                   │    │
│                               ┌─────▼─────┐      ┌─────▼────┐│
│                               │ On-Prem   │      │ Cloud    ││
│                               │ Kubernetes│      │ EKS      ││
│                               └───────────┘      └──────────┘│
└──────────────────────────────────────────────────────────────┘

Infrastructure as Code (IaC):

• Terraform provisions both on-premises (via VMware provider) and cloud
• Same repository, reviewed together, deployed by same pipelines
• State files per environment but shared module code

Hybrid Cloud Platforms

Cloud providers offer platforms extending their control plane to on-premises:

AWS Outposts:

• AWS hardware deployed in your data center
• Run EC2, EBS, S3 locally with AWS APIs
• Managed by AWS; connected to parent region

Azure Arc:

• Project Azure services (Kubernetes, SQL) to any infrastructure
• On-premises Kubernetes clusters appear as Azure resources
• Azure Policy applies to Arc-enabled resources

Google Anthos:

• Managed Kubernetes across GCP, on-premises, and other clouds
• Anthos Config Management for consistent policy
• Service mesh (Anthos Service Mesh) spans environments

Benefits:

• Consistent APIs across environments
• Unified management consoles
• Common identity and access management
• Simplified hybrid application deployment

Considerations:

• Vendor lock-in to specific platform
• Hardware/licensing requirements
• Connectivity requirements to cloud control plane

Hybrid cloud is the practical reality for most enterprises—not a temporary state but a permanent architecture that leverages the best of both on-premises and cloud environments. Success requires deliberate design, consistent operations, and cross-cutting expertise.

Module Complete:

You have now completed the Cloud Networking module. From cloud network models and virtual networks through VPCs, connectivity, and hybrid cloud architectures, you possess comprehensive knowledge of modern cloud networking. This foundation enables you to design, implement, and operate cloud infrastructure that is secure, scalable, and operationally excellent.