Summarizing Cloud Architecture and Design.

The term Cloud refers to a Network of servers. In other words, we can say that Cloud is something, which is present at remote location. These servers can store and process the data, deliver the content (emails or any other data), hosts application or perform multiple other tasks.

Cloud Service Provider (CSP ) is the organization which deploys physical servers and rents out those servers to different organizations based on subscription.

A single organization owns and maintains this type of cloud, enabling central access to IT resources for departments and staff distributed among a variety of locations.

An organization uses it when it requires a high level of security and has strict governance or compliance requirements.

Private cloud is more expensive than public cloud as the organization has to pay for all the resources (hardware) to setup the cloud servers.

Organizations can host private clouds on-premises within their own datacenters or by third-party CSPs.

Unlike a private cloud, which is owned and hosted locally by the organization, a public cloud is a pool of computing services delivered over the Internet via a CSP (cloud service provider).

Public cloud uses pay as you go or monthly / yearly subscription model for the users who wants to use the services they offer.

It is a shared platform, this means the hardware and other resources of the server and the services are shared between different customers that uses public cloud. This is called multitenancy (multiple tenants / customers).

Examples of public cloud are Amazon Web Services (AWS), Microsoft Azure, DigitalOcean.

Multitenancy is an architecture that provides an instance of an application (server) to serve multiple clients or tenants. Public cloud service depends on resource pooling.

This means the CSP virtualizes physical resources into a group, or pool, and makes these pooled resources available to tenants.

Resource pooling hides the physical hardware from the customer and allows many customers to share resources.

Since hardware resources are shared, there is a high chance that different organizations use the same server hardware for their respective services.

Due to compliance reasons many organization does not use Public cloud (which uses multitenancy).

The organization uses public cloud resources to create a private cloud.

The organization uses the public cloud resources to provision the virtual infrastructure for their services and manage access to those services.

Cloud within a cloud is setup using the feature of virtual private cloud (VPC). In Azure, a VPC is the same as a virtual network (VNet).

The concept of VPC refers to a “cloud within a cloud.”

A VPC isolates private cloud in the public cloud using virtual local area network (VLAN), virtual private network (VPN), subnet (network inside a network).

Example: An organization has a public cloud for its operations and within public cloud, the finance department has its own dedicated cloud.

A community cloud occurs when several organizations from a specific group with common computing needs or similar requirements for regulatory compliance, security, or policy share the infrastructure.

Consider a scenario where several medical research organizations (Healthcare) are working on a project.

These organizations need to be able to share resources, but because each organization also has its own projects, it needs to keep the details private. In this scenario, the organization cannot use the public cloud because other organizations share the resources.

In a Community Cloud, organizations use infrastructure provided by the CSP to share software and development tools designed to meet community needs.

Additionally, each organization builds its own private cloud space to meet the regulatory compliance, security, or policy of the community.

Examples of Community Cloud are Banking, Healthcare, e-commerce.

Government Community Cloud (GCC) is a cloud-based environment for government agencies to host business processes. Cloud service providers create GCCs to meet the needs of government programs.

A hybrid cloud is when an organization uses two or more cloud (public, community or private) concurrently.

In this model, an organization continues to provide and manage some services internally, while other resources are provided externally by the CSP.

A hybrid cloud offers the ability to keep the organization’s mission-critical data behind a firewall and outside of the public cloud.

Example: An organization has a need for private cloud hosting data complaint applications for security reasons and a public cloud hosting other applications.

Cloud Bursting is the practise where the organization uses Public cloud resources when the on prmeises datacenter resources are at peak capacity.

When organizations run out of computing resources in their internal datacenter, they send the extra workload or requests to third-party cloud services for processing.

Example: An organization is using Hybrid cloud, an internal application is fully functional in the on premises datacenter.

If the internal application receives many request for processing at once and the on premises application computing resources has reached full capacity and cannot process any more request, then the extra unprocessed request will be sent to the application deployed in public cloud (provided by CSP).

The main advantage of cloud bursting are flexibility and self-service functionality, most CSP only charge the organization if the CSP has processed any request, in case the on premises datacenter is out of resources to process the request.

Multicloud deployment is when an organization uses multiple CSP’s redundantly.

A single CSP presents too much risk to the organization, so they spread an application across two or more providers for redundancy.

If one CSP goes down, other providers rebalance services.

It allows the organization to take the best services from multiple vendors (CSP) and combine them together into a solution that meets their needs.

Example: The organization can host its IaaS workloads in Azure, its PaaS workloads in AWS, and database in GCP.

Middleware is software that different applications, services or servers use to communicate with each other. It connects applications, data, and users in cloud.

Example: Using Remote procedure call (RPC) different application communicate across networks, without having to understand the other network’s specificities.

Application programming interfaces (API), Transaction middleware and Database middleware are other examples of Middleware.

The runtime executes or runs a program or application within its environment.

It provides the support for the application or code to function and interact with the operating system, hardware, and other programs.

Example: .NET runtime for .NET applications, Visual Basic Runtime, Java Runtime Environment (JRE).

Virtualization is a process that allows CSP to efficiently utilize the physical server hardware and create virtual representations of servers, storage, networks, and other physical machines.

Consider an organization has 3 dedicated physical servers, One is a Database server, another is a email server, and the last one is legacy application server.

If each server is operating in 25 percent capacity, 75 percent of the server resources are not in use for a single server.

If the organization uses virtualization concept, they can virtualize 1 physical server into 2 virtual server and host database and email server on a single server.

It is defined as the set of services offered by a CSP, and how the services are accessed by the organization.

The CSP controls the hardware of the server hosting the service, while what an organization controls depends on the Cloud Service models the organization uses.

Below are the main Cloud Service models.

In this model, the CSP provides (rent out) the infrastructure (hardware, network, and operating systems) to the organization and is responsible to replace and maintain the infrastructure which the organization uses.

The CSP is responsible for ensuring the physical security of the datacenter where all the infrastructure is located, to prevent the compromise of customer data stored within.

The organization that uses IaaS is responsible for installing, configuring, and managing the Application, data, middleware, runtime and operating system (OS) which are hosted on the infrastructure provided by CSP.

Example: Virtual machines, Storage resources, Compute, load balancers and firewalls.

In a PaaS service model, the CSP delivers a platform to clients, thereby enabling them to develop, run, and manage applications and data without worrying about the need to build and maintain the underlying infrastructure.

Runtime, middleware, operating system (OS) and the infrastructure is handled by CSP.

PaaS is a popular model with software developers because they can deploy their applications quickly without having to mess with provisioning VMs and keeping up with OS maintenance.

Example: Google App Engine, Red Hat OpenShift, AWS Elastic Beanstalk, Serverless computing.

In this model, the CSP provides a complete software solution.

The CSP is responsible for installing, configuring, and managing everything related to the SaaS application.

The organization just has to connect to the SaaS application (over the internet) and use the it.

The organization has limited control over the operation and configuration of the SaaS application.

Example: The organization that uses Exchange Online services can send and receive emails but they cannot change or control the version of Exchange server Microsoft 365 is using in the backend. Hence the organization has limited control in SaaS model.

Example: Salesforce, Microsoft 365 and Office 365 apps (like Exchange Online and SharePoint Online).

Cloud providers operate under a shared responsibility model, it defines what actions you (the organization using cloud) are responsible for and what the CSP is responsible for.

In IaaS, the CSP is responsible for the infrastructure they provide as a service (hardware, virtualization, storage, and networking). The organization is responsible for installing, configuring, and managing the Application, data, middleware, runtime and operating system (OS).

In PaaS, the organization is responsible for the applications / code and data they choose to host (execute) on the service, and the CSP would take responsibility for almost everything else.

In SaaS, the CSP takes full responsibility for everything, including the software. The organizations responsibility is limited to how they configure and use the software.

If we talk about shared responsibility based on security, then In IaaS, the CSP may be responsible for securing the infrastructure, and the organization is responsible for securing the applications, and data.

In PaaS, the CSP may handle the security of the platform, and the organization is responsible for securing the applications and data.

In SaaS, the CSP handles most of the security responsibilities, but the organization is still responsible for user account access and the security of the data.

If the account using the SaaS is compromised then no matter if the data is physically present in a secured datacenter, but it can still be accessed by the compromised account.

In this article we explored the cloud deployment model and service model.

Choosing the right combination of deployment and service models depends on factors like the organization’s security and compliance requirements, identity and security control needs and organization’s budget.

The CSP offers multiple ways for the organization to deploy and manage applications and services.

It also allows the organization to reduce their infrastructure deployment and management burden by sharing it with the CSP.