ℹ️ Privately connect from Cloudflare to other clouds
Presented by: Ameet Naik, David Tuber
Originally aired on April 10, 2023 @ 10:00 AM - 10:30 AM EDT
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Ameet Naik and David Tuber.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare CIO Week Hub
English
CIO Week
Transcript (Beta)
Hey everyone, happy Friday and welcome to the last day of CIO Week, an exciting week that's been full of announcements, but we've got more.
We've got a few more announcements to talk to you about.
And this session, we're going to get into how can you privately connect from Cloudflare to other cloud providers, also known as Cloud CNI.
My name is Ameet Naik. I'm Director of Product Marketing here at Cloudflare.
And joining me today is Tubes, who has the fun job of making the Cloudflare network better, faster, more flexible, more integrated with everything else out there.
And Tubes is here to talk to us more about Cloud CNI. But before we jump into that, I want to talk about Cloudflare network and how to connect in general.
As we all know, we're living in a cloud-centric world right now. We're using more and more SaaS applications.
And we've got this thing called the Internet that just pretty much connects every other network on the planet.
It gets us around in most cases.
But it's really important. The problem with the Internet is it was never built to be reliable, performant, and secure.
It was built to be a ubiquitous network that's everywhere.
And on a good day, it generally works well. But can you guarantee it's going to work well all the time everywhere?
Not really. And that's why it's really important to have some level of control of visibility into the middle mile of your application delivery.
And that's really where Cloud CNI comes in.
And CNI in general comes in. So we've had this product called Cloudflare Network Interconnect for several years now.
And Tubes, give us a little bit of background for our readers who may not be familiar with this.
Yeah. So Cloudflare Network Interconnect started out basically just our customers have their own on-prem data centers.
And they want to connect those on-prem data centers to Cloudflare.
And they don't want to go over the public Internet. They don't want to go through an IX.
They want to limit their exposure and their attack surface by restricting what entities can talk to their servers.
And so by plugging into Cloudflare, they get a direct private path from Cloudflare to their servers so that they don't have to worry about any of that stuff with attack factors to the public Internet.
So Cloudflare Network Interconnect was launched in August or September of 2020.
And then from there, we've built up a really good customer base.
We got a lot of people who connected with us. And we're excited now a couple of years later to support the clouds and basically allow customers who have either hybrid or mostly cloud-based services, get private connectivity from those cloud instances into Cloudflare through CNI.
This is an exciting feature that I know a lot of our customers have been asking for and eager to get.
So just before we get into what it is, what are some of the ways an organization today can connect to a cloud service?
Yeah. So cloud services offer... So before we get on, before I go in and start talking for five minutes and waste everyone's time, when you say, how do people connect to a cloud service, do you mean over the Internet or do you mean just like, how can I just get connected to a cloud service?
What are the connectivity options available to enterprise today?
Whether it's going over the Internet or VPN tunnels or...
Yeah. So it's probably best if we start talking about this instead of the abstract, let's make it real.
Tubes in a Meet started TubesCorp because I am very vain and self-obsessed.
And I've got... And we started out like 10, 15 years ago.
And TubesCorp has a data center. And the data center is in Ashburn, Virginia.
And TubesCorp is coming along. It's doing its thing. It's going really well.
And all of a sudden TubesCorp says, well, maybe I don't want to run all my servers anymore.
Maybe the cloud instances seem really good. There are a lot of options.
After choosing between AWS, Google, Azure, IBM, Oracle, I choose IBM because TubesCorp likes IBM.
Yeah. So I get an instance in IBM cloud and I've got my databases there.
I have my IBM cloud instance talking back to my TubesCorp servers, which are also in Ashburn.
But that goes over the public Internet. So that's probably the first way that people can talk to the clouds.
The clouds buy a lot of transit.
They buy a lot of connectivity and ISPs. You can get connected to clouds over the public Internet.
So just the way, the same way that you or I, when we log into IBM cloud or Google cloud or whatever, from our laptops, it's the same way that our cloud server, that TubesCorp servers in Ashburn would connect.
We would pay for Internet connectivity through an IX or through transit like Lumen or Cogent or Telia.
And then that transit or that Internet would connect to the clouds via the peering that they have.
And that's cool. It works. That can get expensive and that can be troublesome for two reasons.
My TubesCorp, we just signed a big government contract.
Really cool. Government contracts pay a lot of money.
Love government contracts, but government contracts mean that we need to be very, very careful with government data.
And we've got our TubesCorp machines, which are running in Ashburn, and they're talking to TubesCorp VMs in IBM cloud, and they're going over the public Internet.
And that means potentially sensitive data is going between TubesCorp VMs or TubesCorp data centers and the TubesCorp VMs in IBM.
And that's a problem. Government says, can't do that.
It's got to be private. You have to have private connectivity to a cloud. But that doesn't make any sense.
Like why? Like a cloud is public. It's a shared infrastructure.
How do I get private connectivity? Well, the cloud's already thought of this.
They have these solutions. IBM's got DirectLink. AWS has DirectConnect.
Azure's got ExpressRoute. Google Cloud has Cloud Interconnect. And Oracle or OCI has FastConnect.
So they all have different names for the same thing. It's usually some sort of direct or private or connect or something, link, whatever.
You can mix and match and do your own chat GPT version of that. So I get all of those things.
So I get that DirectLink. So we're using IBM as our example.
TubesCorp, we get our DirectLink from our data centers to the cloud. Cool. Now we've got a dedicated private connection from my data centers to the cloud.
So now TubesCorp can carry on that government contract and make lots of money.
Really, really cool. We're very, very happy. That's where the situation is more or less a year or two ago.
Now, TubesCorp got hit pretty hard by the pandemic because TubesCorp has a bunch of offices in addition to just our data center.
And you and me, we make a lot of money with this government contract. We open up offices everywhere.
We open up headquarters. We have all of this physical footprint.
And that's all connected via MPLS and VPNs and all of these old guard connectivity, security, IT connection things.
Pandemic hits. Holy crap. Now, instead of commuting into the office, I'm going through VPN.
Well, TubesCorp, a little older.
I'm based in Seattle, but our headquarters is in Chicago. Or worse, Dallas or Miami or Atlanta if we really, really want to get nasty because it means you're also on the West Coast.
So TubesCorp and Amit, we set up our headquarters and our VPN to route out of Atlanta because who knows why.
That's exactly why we did it.
So now in order to access TubesCorp servers and TubesCorp services that are in IBM and that are in our data center in Ashburn, Virginia, we have to go to Atlanta because that's where our VPN is.
Cool. We don't like that. We buy Cloudflare 1.
We buy Access. We buy all of this stuff. And we start moving our security boundary from our data centers and our offices to the Cloudflare edge.
But our data center and our IBM Cloud instance are dangling.
So as we built out, you know, we moved, we went on our Zero Trust journey.
We did our Access. We did our application Access.
We did our SecureWebGateway. We're moving to our SD -WAN.
We're moving our VPN and we're MPLS to the Cloud. We're using SD-WAN. We're buying MagicWAN and we want to connect everything to Cloudflare so that we can always have the fastest path through the network.
What do I do with that IBM Cloud instance?
I can get a CNI for TubesCorp servers in Ashburn, but IBM, I have to go over the public Internet, but I have that government contract.
I can't do that. Like, it has to be where it is and that's really annoying.
And that's where a lot of customers are right now.
That space that IBM or AWS is hanging there and they're trying to finish their Zero Trust journey.
They want that SD-WAN. They want that direct connectivity to the SASE model, but they can't get it because there's no private cloud support.
The private cloud support is very important. It needs to connect to the edge or it needs to connect to the network, just like our data center or just like our office or just like our laptops or phones or whatever.
So, this is where CloudCNI and CNI really, really shine.
Now, instead of getting that direct link from TubesCorp servers or from IBM into TubesCorp servers, you can open a direct link from IBM into Cloudflare and you've got a CNI into Cloudflare.
And now all of your traffic is transiting Cloudflare.
Your boundary is secure. You can keep getting that money with that government contract and everything becomes easier because instead of having to worry about, oh, I've got my direct link connected to my data center and I've got my MPLS connected to these things and all that stuff, it's all Cloudflare.
It's Cloudflare all the way down and makes it very simple and very easy to connect.
And that's the beauty and the value of CloudCNI.
That sounds fantastic. So, it gives you the ability to connect your private instance that's living in IBM Cloud or AWS or into another private instance, which is living on Cloudflare and tying these two worlds together.
So, you're solving the problem of apps being in the cloud and users being on a zero trust solution on Cloudflare and how do you bring those two worlds together?
And that's really exciting.
And you gave a great example of TubesCorp and we're making all this money on government contracts.
That's one good reason for wanting to have this private connectivity.
What are some other reasons why customers would want to have private connectivity?
Well, government contracts are basically a forcing function of a lot of compliance requirements that a lot of companies have.
Distrust of the public Internet and private resources going over public links is generally bad.
If you've got payment data, there are laws. And the reason why there are government contracts is because usually with government contracts, there are very specific laws and guidelines around how to handle government data, how to handle user data.
And that doesn't apply to government data. It could be applicable to payments.
It could be applicable to location services, user data, PII.
It honestly depends on your industry. It's going to vary. But regardless of variation, private connectivity is just generally better because you're not only getting a direct link, IBM direct link, you're not only getting a private path from the cloud to you, that private path comes with all the benefits of CNI.
So you get guaranteed bandwidth. Your performance is generally going to be better.
You're going to get better uptime because those boxes and those devices are generally separate from the rest of the edge network, better SLAs, things of that nature.
So basically, in addition to just wanting to satisfy legal compliance things, you also get a better experience when you go over these private paths.
And that's why these clouds offer these things because they know that. And it's kind of a win-win-win for everybody that if you're in IBM or you're in Azure or you're in AWS and you want to get connected privately, like the clouds want that for you because now you're with that cloud.
And it's kind of a mutually beneficial arrangement for everybody.
You get your private connectivity. You get your better performance.
You get your better availability. And you get all of that.
And the clouds basically are like you're getting tied to that cloud. You have a private connection.
I mean, that's very, very valuable. And so for CNI and for cloud CNI, we want to support that.
We want people to get connected to us through these direct links because a connection and a private connection is win-win-win for everybody.
We increase the connectivity and we increase the performance of our network.
We do all this stuff for you. And from a customer perspective, it all gets to be managed by clouds there, which is really, really, really valuable.
I think one thing you said earlier is really interesting. Having this layer three connectivity means your traffic's going to always take the most direct paths rather than get trombone to a VPN gateway that's sitting in the data center somewhere far away, which is the alternative way of doing it, which is to have a bunch of VPN tunnels and do all the VPCs, which is a way of doing it and gives you some connectivity and which frankly have most organizations are doing it right now.
But it has challenges because your traffic is going to take a longer path than it needs to.
And that shows up in app performance. And performance expectations today are just so different right now.
I mean, there's this thing that we hear about called the consumerization of IT.
Employees expect their work apps to be as zippy and as responsive as their consumer apps, as the social media apps.
And any amount of lag, latency, slowdown, it's not seen well.
You end up in a spike in IT trouble tickets.
And anything you can do to cut latency from between the user and the application and the edge is really powerful.
Well, I mean, we talked about this when we talked about the Cloudflare being faster than Zscaler a couple of days ago.
If you haven't watched that, you should definitely watch that. It's a good segment.
Not to toot our own horns here, but beep, beep. But performance is a threat and if your performance is bad, then you as a user are just going to do whatever you can to mitigate that.
And often that's just turning off these features.
It's bypassing the VPN. It's saying, you know what, screw it. I don't need to go over my SD-WAN.
Why do I need that? If I'm smart, I can just fake it. No, you can't.
And so by making security performant, you disincentivize this behavior that people are less likely to go around the rules if the rules are very lenient or the experience is fine.
This is part of the reason we're seeing such an explosion in unsanctioned ID applications here, right?
Because like, yeah, I can use Dropbox a lot faster than my SharePoint, which is a sanctioned app and people are going to start using whatever is more faster, better, easier to be more convenient for them, right?
Exactly. At the end of the day, people are going to do what they need to do to get things done.
And if you as an IT admin can just make it incredibly easy, win, win, win for everybody.
Yeah. And this removes additional friction from organizations moving to the cloud and moving the core applications to the cloud, right?
I mean, there used to be all kinds of performance considerations saying, hey, our data center is in the basement right now where most of our employees are.
What happens if we move it to a cloud provider that's 50 miles away, right?
This sort of takes, solves some of the connectivity and performance challenges.
And, you know, like we see that a lot with even in Cloudflare, like we get those questions from customers, like I have my data center, like I have like a data center with us, like how can we, how can we get that direct connectivity?
How can we basically get those functions so that like the data can be routed immediately?
And, you know, like stuff like that, you know, Anika Garber has just released a blog about magic on-prem.
If you haven't read that, you got to, got to, got to check it out because that's a really another great example about how we are making it incredibly easy for this to just be plug and play.
Like you just go to Cloudflare and it just gets done. And that's the mentality that we're really, really chasing after, like IT should be easy to set up.
It should be easy to maintain. And you should just have to go to one place to get everything fixed.
And that's the mentality behind Cloud CNI. That's the mentality behind Anika's magic on-prem.
That's the mentality behind all of Cloudflare one, one stop shop, complete solution.
So you can focus on the things that you need to focus on and not on like, how does my MPLS connect to this thing?
And like debugging MPLS issues, like nobody wants to debug MPLS issues.
They want to pay someone to do it.
And so that's the value that Cloudflare is providing.
Yeah. And I think the other interesting use cases enables is multi -cloud, hybrid multi-cloud networking, right?
That's been a big problem in the industry for a long time as to how to do it.
All the cloud providers have their own solution to do it and they work great.
If you're typically, if you're on one cloud, many organizations don't have that luxury, right?
You may start with one cloud service.
You may end up acquiring somebody, or you may find that, you know, this little engineering organization over here went out and you may start on the AWS, this little engineering org started using Google cloud.
Now you have to maintain it and support it, right?
And everybody needs compliance. Every, every organization.
And even like this, even, you know, Corey Quinn, who's like, he's not going to watch this, but like, I'm going to name drop Corey Quinn.
He's very famous.
He runs the duck bill group for AWS cost management. And he's going to tell you, and everyone's going to tell you that multi-cloud is, is the solution.
And that taking dependencies on one cloud is, is generally a good way to drive up costs because it's kind of like the car insurance problem.
Like you buy your car insurance and you buy it low and then just the costs add up and like, you're stuck on it.
And you're just like, you don't even, because like the, the, the, the mental strain of moving off is more challenging than the, than what you're willing to pay.
And that's kind of the selling point of a lot of these things.
And so multi-cloud is a very, very vital option.
And that's why, you know, we are offering cloud CNI for stuff like this, that like, because it works really well with magic when that, like, since it's all just Cloudflare routable, we don't care if it's AWS or IBM or Azure, it all just plugs in and it all just routes the way that you want it to.
And it's multi-cloud built in because we're cloud agnostic because Cloudflare is the super cloud.
Yeah. Yeah. And, and you can bring out all the cloud instances together using cloud CNI tied into a magic WAN instance route from anywhere to anywhere.
Right. But what I love about this is it doesn't just solve for sites. It also solves for, solves for users.
You have remote users that are not in the building with the work client.
You can bring them in, you can bridge them to magic WAN and have them act, give them the same level of access and security that users inside the office will.
Right. And that's the solution. Exactly. And the really cool part, especially with cloud CNI is because we're talking multi-cloud because we're talking that stuff like that application is actually incredibly valuable, not just a SaaS company, not just a company is protecting their users, but for SaaS companies who are offering privately connected services, like you want, you're with Cloudflare for the protection and customers want to directly connect to you.
You don't want to bypass Cloudflare. Cool. You can use cloud CNI to directly connect all of your customers to Cloudflare through us.
And that allows you to offer that kind of directly that direct connect, say that direct connect service that's managed in SaaS.
And so, you know, customers like a lot of our customers or a lot of our SaaS customers super interested in this.
And this is a really, and it's a really easy to see why, because, because we're basically making connectivity super easy and just kind of abstracted and just done in Cloudflare.
Existing Cloudflare customers can offer that support to their customers and say, Hey, you want to directly connect to me?
Cool. Cloudflare has got the solution, get connected to Cloudflare and we can just route you and we can handle you through there.
And you can do that with cloud CNI.
You can do that with a physical data center. We support all of those.
So this actually enables a lot of SaaS companies to offer direct interconnect capabilities, right?
And this is sort of above and beyond what, I mean, SaaS companies are good at building SaaS software and that's what they should focus on.
Right. And this sort of allows them to stop worrying about how do my customers get to me and use a partner like Cloudflare to do that.
Right. And like, you think about stuff, like we, we always talk about the, the, the ass company, the ass terms, like something as a service, like tubes as a service, a meat as a service, we've got software as a service, we've got security as a service, we've got security, like whatever is a service.
This is at its core infrastructure as a service, you get connected to Cloudflare and you can democratize, you can use our infrastructure as your infrastructure.
If you have these features and you're thinking about moving to Cloudflare, but I've got this, this thing, and it's this direct connect option.
And I've got these routers, cool.
Migrate those customers to Cloudflare and our infrastructure will take that on for you.
It is a very compelling argument for basically, why do you like, let us maintain this infrastructure for you.
We've built a network of over 235 locations, 11,000 peering points.
Let us handle that for you because it's not that we're better at it, but we're doing it so you don't have to.
Yeah.
Yeah. It's one less thing a company has to worry about. Right. And yeah, I mean, software companies are really good at building software and they, they, they can, if they can focus on that versus worrying about the plumbing.
Right. I think that's, that's a big value.
There are a couple other use cases you mentioned here in your blog posts, right?
You talk about secure authentication with access. Talk to us a little bit about that use case.
This is a really, really cool. This is really, really cool.
And so, so Kenny, who's the access PM and I are going to write a blog about this later.
Cause you know, this is really cool, but you know, you have tunnel today and you have like, tunnel is a really, really great way to privately encrypt your traffic that goes over the public Internet.
And it's especially valuable for your application traffic.
You know, you want your application traffic, your hosted application traffic to not to basically be as private as possible.
You don't want people to be able to see what end points you're accessing.
So instead of using something like Cloudflare tunnel and installing Cloudflare D on it, why not just open a private connection to Cloudflare and have all your application traffic go through there?
That's the value that CloudCNI gets.
So like it, so a lot of people they'll host their JIRA instances.
And we talked about JIRA in the blog, in the performance blog. JIRA is a ticket management system, similar to VSO or I don't know the other one.
I just worked at Microsoft for seven years.
So VSO is the only one I know. But like a ticket management system.
So basically you cut tickets, you assign them. Some people will host those internally.
They'll host them on their own servers, but you can also host it in the cloud.
And so what if you could get private access to that JIRA instance through, if you host it in AWS or IBM, if you get a host it in IBM, just get a direct link to Cloudflare and then access will proxy all of their, your access, your privately, your secured encrypted application traffic through the direct link.
So it never has to touch the public Internet. Cool. You're even more protected.
And it's so simple that you didn't even have to, you didn't even have to, you didn't even have to stand up any hardware.
You can be entirely cloud native and get privately connected and you never have to deploy a router or do BGP or do any of those things.
It just works. Now that that's, that's going to be of a lot of benefit to a lot of our customers, right?
And I can see a lot of customers start to use it. What's the, another use case you talk about here is that now we've got about five minutes left, but another use case you talk about is managing cloud egress with gateway.
How would that work? Yes.
So gateway is, I love gateway. I've loved gateway for a really long time. Gateway is such, for me, such a cool, flexible product.
You can use it to do anything that you need.
And so one thing that's super, super valuable is being able to apply company-wide access and public Internet management policies at the network edge.
And when I say network edge, I mean like right before it's about to leave your managed system and then out to the public Internet.
And so that's what gateway provides.
And gateway is such a flexible tool because it's configurable and it's very, very fast.
And you saw that it was very, very fast because we just did the comparison with our secure gateway was Zscaler.
So if you have a cloud instance that needs to talk to the public Internet, usually you have to go through your AWS.
You have to go through, like if you're in AWS, you have to go through your load balancers, your firewalls, whatever you have to do.
But you already have that with Cloudflare.
You have your firewalls, you have your gateways, you have your layer three, you have everything you need to protect and you're already using it.
So with the direct link and with the private connectivity from your cloud instance to Cloudflare, you can just funnel your traffic and send it out to the Internet through us and let Cloudflare manage all of your egress policies for not just your corporate users, but also for your cloud applications.
So keep everything in one place.
And that's another great example of how we just condense the space that you need to think about and only get to focus on.
I am making my policies in Cloudflare and then it will just work from there out.
Yeah. And I think it's really helpful for your cloud instances as well.
A lot of application instances, server instances need access to the Internet to do things like security patches and updates, et cetera.
And that's leaving that access open as a big threat factor for an organization.
Exactly. Running that through something like gateway, where you have managed rules that can prevent connections to malicious sites, drive-by downloads and things of that nature.
I think that gives you another level of security for your cloud applications.
Exactly. That's the point. Yeah. So if somebody wants to try Cloud CNI today, how can they get access to it?
What do they do?
When is it available? Yeah. So best way to learn more about Cloud CNI and see if it's a good fit for you is to just reach out to Cloudflare.
If you already are an enterprise customer, reach out to your account team, let them know I'm interested in Cloud CNI.
And most likely you're going to end up talking to me, which is great for you because I'm the coolest.
But I'm just kidding. I feel bad for you.
No, also kidding. You're going to end up talking to me. You're going to end up talking to Cloudflare.
We're going to figure out if Cloud CNI is the right fit for you, for your scenario.
We want to kind of guide you through this journey and make sure that you're getting the right fit.
And our account teams are ready and waiting to help you out with that cloud journey.
And what kind of information should they be providing to the account team?
Which cloud providers do you use, locations, et cetera?
Yeah, definitely. So tell us what cloud regions you're in. Tell us what cloud you're using.
And tell us, do you already have direct connections today?
Are you interested in establishing new ones or migrating your existing? Are you looking for a hosted connection, which is one that's kind of shared, operated between us and the clouds?
Or do you want your own dedicated connection? Telling us all these things allows us to kind of get started and get the ball rolling as fast as possible.
Sounds good. Well, this was great. I'm really excited about Cloud CNI, as are many of our customers and partners.
So excited about this announcement. And thanks for joining us and sharing all this wonderful information with our viewers.
If you have any questions, you can go read the blog.
There's a link there where you can contact us and get in touch if you have any more questions.
Thanks, everybody, for joining.
Thanks, Tubes. Thanks so much, everyone. Have a great day.
And have a good rest of your Fridays. Bye.