Copyright © 2014-2015 Zentera Systems, Inc. 1

The Cloud is Now a Critical Part of Enterprise Computing

How the Cloud is Being Used Today

The cloud is seemingly everywhere these days. For enterprises, the cloud offer advantages in DevOps (i.e.,

development and operations of applications) as well as meeting the demand for elastic computing. Additional

drivers of cloud adoption are the need for high-performance computing, datacenter wholesale or partial

migration, i.e., “lift & shift”, and secure hybrid applications that combine enterprise and cloud computing.

The Public Cloud Lowers Infrastructure and Operations (I&O) Costs Dramatically

One approach to leveraging the cloud is to create a private, enterprise-only implementation. However, private

cloud implementations have been constrained by their need for deep expertise, IT resources and capital

investment. Consequently, enterprises are leveraging public cloud datacenter offerings to avoid expensive capital

investments (CapEx) as well as to accelerate the time-to-production of applications. Widely-used IaaS cloud

vendors such as AWS and Microsoft Azure can offer low-cost cloud resources due to their large aggregated

datacenter volumes and aggressive pricing, allowing enterprises to treat the cloud as an operating expense

(OpEx).

The Cloud Ecosystem is Rich and Growing

The overwhelming business benefits of cloud adoption are driving the emerging cloud ecosystem, which is

helping enterprises migrate their applications and datacenters to public or outsourced facilities. For instance,

MSPs (Managed Service Providers), VARs (Value Added Resellers), SIs (System Integrators), and cloud market

place and brokerage vendors are supporting enterprises in moving their on-premise applications to managed

hosted datacenters, multi-tenancy cloud datacenters, or hybrid implementations. The cloud industry is becoming

a sophisticated ecosystem, and it calls for new technologies.

CoIP (Cloud over IP): The Future of Hybrid Networking An overlay virtual network that connects, protects and shields

enterprise applications deployed across cloud ecosystems

Copyright © 2014-2015 Zentera Systems, Inc. 2

The Cloud Ecosystem Faces Technology Challenges

As companies start to leverage this emerging cloud ecosystem, they are encountering a number of challenges.

Hybrid cloud infrastructure (IaaS) deployments require significant re-engineering and customization of corporate

network, compliance and security infrastructure. Today, enterprises may spend many months, depending on

their existing network and information security (InfoSec) infrastructure complexity, to complete a single hybrid

deployment for one or a few applications, much less multiple deployments.

This section describes the network and InfoSec challenges that the cloud ecosystem must address to make

hybrid cloud adoption less complex and time-consuming as well as more reliable and secure.

Enterprises Do Not Control Infrastructure Within Cloud Islands

The public cloud vendors have evolved disparate and unstandardized infrastructures, which operate as

segregated Cloud Islands. Furthermore, these cloud islands are controlled by different service provider

administrations, which do not make their proprietary infrastructures directly accessible to enterprises.

Within these cloud islands, enterprises have limited control over the lower-level physical or virtual cloud

infrastructure, due to service providers’ security and SLA constraints. The enterprise controls are at the

virtual machine (VM) level and above, as shown in Fig. 1, below. The lower-level infrastructure – the

physical IP network, the cloud orchestration layer, and the virtualization hypervisor controller – is accessible

only via cloud service provider-specific APIs.

Figure 1 .Cloud Infrastructure Currently Operates as Disparate “Islands”

Rather than having to manage cloud islands with limited and differing access controls, enterprises want a

virtual single-tenancy solution, under enterprise control, that operates consistently on any public cloud.

This would allow companies to apply their best network, compliance and InfoSec practices while simplifying

cloud adoption.

Copyright © 2014-2015 Zentera Systems, Inc. 3

Enterprises Want a Unified Network Fabric to Support Application Portability

As part of corporate best practices, most enterprises have customized their internal L2/L3 IP networks as a

unified fabric to support applications with network transparency. When enterprises extend their network

and computing infrastructure to the public cloud, establishing network transparency is difficult; most cloud

vendors provide their own, non-standard methods and controls for setting up L2/L3 networks. Therefore,

moving applications to the cloud requires additional customization efforts.

These efforts are required to maintain perimeter-based security, sometimes referred to as “hard shell, soft

core”: protecting the enterprise with a strong (“hard”) network boundary and a flat (“soft”) internal

network fabric. These perimeters can surround hundreds or thousands of applications, supported by

networks that were not designed to allow cloud-based access. Therefore, it is difficult to allow one hybrid

application to access the cloud without compromising the security of the rest of the applications—the

“breaking hundreds while moving one” problem. The customization efforts needed to avoid this problem

can be substantial enough to prohibit widespread cloud adoption.

How can these challenges be addressed elegantly and cleanly? In the next section, virtualization is presented as

the way to controlling the hybrid network infrastructure and provide a single unified network fabric in hybrid

cloud environments.

Cloud over IP – The New Network Virtualization

In the computing industry, abstraction and virtualization have played an important role in the commercial

adoption of new, more efficient and straightforward uses of computing resources. Virtualization technology has

made great advancements in the past decade, from server virtualization, to IO virtualization, and then to

network virtualization, as shown in Fig. 2.

Figure 2. Virtualization Enables New IT Functionality

These virtualization technologies have significantly improved efficiency within a datacenter by virtualizing the

lower level stacks. When enterprises migrate applications to the cloud, there is a need for cross-domain

virtualization technology that abstracts the enterprise and cloud network infrastructure into a unified network

Copyright © 2014-2015 Zentera Systems, Inc. 4

plane and is agnostic to the underlying infrastructures. Cross-domain virtualization is starting to appear; for

example, container technology is a recent virtualization solution that allows applications deployed inside a

container to run on top of any hypervisor in any cloud.

The next piece of the puzzle is the virtual network that extends across cloud ecosystems. The solution for cloud

ecosystems is the next generation virtual network, Cloud over IP (CoIP), which spans across the boundaries of

cloud datacenter administrations, using but not changing the underlying IP networks as the forwarding fabric.

CoIP presents one unified network fabric to applications, as if all resources were deployed in one enterprise

network. CoIP is controlled and managed by the enterprise. It applies to cloud datacenters and enterprise on-

premise environments across hybrid cloud ecosystems.

CoIP is Like VoIP for the Cloud

VoIP (Voice over IP) technology revolutionized phone technology starting in the early 2000s. VoIP is an L4/L5

session and transport layer network that overlays on top of IP networks for phone connection and voice

transport. Its ease of deployment and range of functionality significantly improves enterprise productivity while

simplifying deployment and lowering costs.

Similarly, CoIP is an L4/L5 session and transport layer network that overlays on top of segregated IP networks

(i.e., cloud islands), connecting endpoint servers, VMs and containers while using IP networks to transport client-

server packets across cloud ecosystems. CoIP does not require any southbound protocol integration or IP

network reconfiguration. Table 1 compares VoIP and CoIP.

VoIP CoIP

Network

Technology

L4/L5 Session and Transport

Network

L4/L5 Session and Transport

Network

Network Port 5060, 5061 for SIP 443 for CoIP WAN, 9797 for CoIP LAN

System

Boundary Network

Endpoint

IP PBX

Border Session Controller

IP Phone

CoIP Controller

Virtual Transport Switch

Server, VM, container, edge gateway

Addressing Portable IP phone number Overlay IP address & private routing

Content Voice Any L4-L7 application packets

Security Call control Policy control, private routing & transport

encryption, chamber firewall

Deployment Extremely fast Extremely fast

Table 1. VoIP and CoIP Comparison

Copyright © 2014-2015 Zentera Systems, Inc. 5

CoIP Provides Hybrid Network Benefits

CoIP enables several critical benefits as described below.

Enterprises Can Control CoIP Virtual Networks Across Cloud Ecosystems

CoIP operates in the OS (operating system), one layer above the virtualization hypervisor, and as a result it is

similar to container technology: it is agnostic to the cloud datacenter and operates within the enterprise-

controlled layers. Figure 3 illustrates the cloud stack with the CoIP layer.

Figure 3. Cloud over IP is the Next Level of Cross-Domain Virtualization

CoIP is a High-Performance Overlay Virtual Network

CoIP is an overlay network that is completely decoupled from the underlying L2/L3 IP network fabric. It

performs high-speed transport forwarding and does not replace or disrupt the underlying IP switch network.

The datacenter physical network fabric has its own critical scalability requirements for high performance

switching; CoIP is architected to align with those present or future high performance requirements without

replacing L2/L3 switching and routing. Note that this architecture is fundamentally different from hypervisor

networks such as Open vSwitch. Figure 4 presents the CoIP network stack and where it applies to

northbound applications and southbound L2/L3 networks.

Applications are Portable Using CoIP

Many enterprise legacy applications are coupled with physical network and security settings. As a result, the

physical network implementation can limit the portability of applications to the cloud. CoIP has a unique

capability for private network routing with its own IP addresses above the cloud; therefore, it can easily

support application portability. This is similar to VoIP, which enables any IP phone number to operate

anywhere in the world, decoupled from the location constraints of phone numbers tied to physical telecom

Copyright © 2014-2015 Zentera Systems, Inc. 6

equipment. As a result, CoIP allows straightforward assignment and routing for any public or private IP

address – anywhere in the world – without constraints due to IP collisions or routing table configurations.

CoIP’s overlay virtual network model enables applications to be ported, or migrated, to any cloud.

Figure 4. CoIP Overlay Network Architecture

CoIP Allows Extremely Fast Hybrid Network Deployment

CoIP is decoupled from the underlying IP networks and it involves no hardware. CoIP does not require

enterprises to open firewall ports or use VPNs. It is an add-on software network and therefore can be

deployed extremely quickly. Enterprises can deploy a CoIP network in days, rather than months or years, to

connect applications across a cloud ecosystem.

In addition to the benefits described above, CoIP also supports enterprise-grade security for hybrid networks, as

addressed in the following section.

Using CoIP Securely Shields Cloud Deployments

Security is a critical consideration when enterprises are deploying IT infrastructure to the cloud. As described

above, maintaining perimeter security when setting up a hybrid network using conventional methodologies is a

significant and costly challenge. Furthermore, security can be compromised in this process in subtle and

damaging ways without being detected. CoIP as the new virtual network paradigm offers an additional layer of

security on top of its fundamental capability of maintaining existing security for both the enterprise network and

its applications while migrating to the cloud.

Copyright © 2014-2015 Zentera Systems, Inc. 7

CoIP Features Support the Application Shield in the Cloud

CoIP allows an enterprise to easily shield an application by allowing only specified IP addresses to connect with

the overlay network. These IP addresses include the endpoints implementing this application and the IP

addresses that the application connects to within the physical network. Other applications in the same

enterprise network cannot get into, or hack through, the CoIP implementation; as well, the application running

inside the CoIP implementation cannot connect to endpoints on the enterprise network unless specifically

permitted by the CoIP network.

The key CoIP features that support the application shield are as follows:

Private routing on the CoIP network plane

Specified physical IP addresses allowed to bridge to CoIP routing via CoIP Edge Gateway

CoIP transport encryption for LAN and WAN traffic

Firewalls automatically enforced on all CoIP endpoints

CoIP is fundamentally a virtualization technology that is scalable. The CoIP application shield is decoupled

vertically from the underlying network infrastructure. It is also decoupled horizontally from other CoIP

implementations. Since each CoIP implementation is closed and private, enterprises can build multiple CoIP

implementations on the same physical network environment without worrying about CoIP address conflicts

among them.

CoIP Keeps Enterprise Physical Security Perimeters Intact

An enterprise perimeter-based firewall system—the “hard shell, soft core” described above—is a critical element

in protecting enterprise boundaries. As discussed in an earlier section, when enterprises start to migrate

applications to the cloud, it is important to maintain the existing security implementation without disrupting the

status quo.

CoIP technology allows enterprise IT to meet this goal without having to open any “pinholes” on corporate

firewalls. CoIP WAN transport initiates outbound traffic using just port 443. CoIP architecture is designed to work

with most existing enterprise firewall policies without change.

When the CoIP implementation is ported over a hybrid cloud environment, it is totally under secure control by

the enterprise that owns it. The CoIP implementation is a closed, private network that is securely shielded for

specifically allowed applications.

Copyright © 2014-2015 Zentera Systems, Inc. 8

CoIP is the Next Paradigm for Cloud Ecosystems

Figure 5. The Cloud over IP Network

Cloud over IP (CoIP) is the next-generation virtual overlay network that is secure, portable, easy to implement,

and does not disrupt the existing enterprise network or perimeter security infrastructure. CoIP implements an

overlay network for hybrid cloud applications that enables migration from the enterprise to the cloud while

shielding applications running in a hybrid cloud environment. In sum, CoIP provides the cloud ecosystem with

the security, ease of deployment and accelerated time-to-production that will drive widespread cloud adoption.

The future is CoIP and it is here now, as shown in Fig. 5, the CoIP network.

Authored by Jaushin Lee, Ph.D., and CEO, Zentera Systems

All trademarks herein are the property of their respective owners.