Home > Cisco, Cloud Computing, Cloud Security, Compliance, De-Perimeterization, Disruptive Innovation > Calling All Private Cloud Haters: Amazon Just Peed On Your Fire Hydrant…

Calling All Private Cloud Haters: Amazon Just Peed On Your Fire Hydrant…

Werner Vogels brought a smile to my face today with his blog titled “Seamlessly Extending the Data Center – Introducing Amazon Virtual Private Cloud.”  In short:

We have developed Amazon Virtual Private Cloud (Amazon VPC) to allow our customers to seamlessly extend their IT infrastructure into the cloud while maintaining the levels of isolation required for their enterprise management tools to do their work.

In one fell swoop, AWS has:

  • Legitimized Private Cloud as a reasonable, needed, and prudent step toward Cloud adoption for enterprises,
  • Substantiated the value proposition of Private Cloud as a way of removing a barrier to Cloud entry for enterprises, and
  • Validated the ultimate vision toward hybrid Clouds and Inter-Cloud

They made this announcement from the vantage point of operating as a Public Cloud provider — in many cases THE Public Cloud provider of choice for those arguing from an exclusionary perspective that Public Cloud is the only way forward.

Now, it’s pretty clear on AWS’ position on Private Cloud; straight form the horse’s mouth Werner says “Private Cloud is not the Cloud” (see below) — but it’s also clear they’re willing to sell you some 😉

The cost for VPC isn’t exorbitant, but it’s not free, either, so the business case is clearly there (see the official VPC site)– VPN connectivity is $0.05 per VPN connection with data transfer rates of $0.10 per GB inbound and ranging from $0.17 per GB – $0.10 per GB outbound depending upon volume (with heavy data replication or intensive workloads people are going to need to watch the odometer.)

I’m going to highlight a couple of nuggets from his post:

We continuously listen to our customers to make sure our roadmap matches their needs. One important piece of feedback that mainly came from our enterprise customers was that the transition to the cloud of more complex enterprise environments was challenging. We made it a priority to address this and have worked hard in the past year to find new ways to help our customers transition applications and services to the cloud, while protecting their investments in their existing IT infrastructure. …

Private Cloud Is Not The Cloud – These CIOs know that what is sometimes dubbed “private cloud” does not meet their goal as it does not give them the benefits of the cloud: true elasticity and capex elimination. Virtualization and increased automation may give them some improvements in utilization, but they would still be holding the capital, and the operational cost would still be significantly higher.

We have been listening very closely to the real requirements that our customers have and have worked closely with many of these CIOs and their teams to understand what solution would allow them to treat the cloud as a seamless extension of their datacenter, where their standard management practices can be applied with limited or no modifications. This needs to be a solution where they get all the benefits of cloud as mentioned above [Ed: eliminates cost, elastic, removes “undifferentiated heavy lifting”] while treating it as a part of their datacenter.

We have developed Amazon Virtual Private Cloud (Amazon VPC) to allow our customers to seamlessly extend their IT infrastructure into the cloud while maintaining the levels of isolation required for their enterprise management tools to do their work.

With Amazon VPC you can:

  • Create a Virtual Private Cloud and assign an IP address block to the VPC. The address block needs to be CIDR block such that it will be easy for your internal networking to route traffic to and from the VPC instance. These are addresses you own and control, most likely as part of your current datacenter addressing practice.
  • Divide the VPC addressing up into subnets in a manner that is convenient for managing the applications and services you want run in the VPC.
  • Create a VPN connection between the VPN Gateway that is part of the VPC instance and an IPSec-based VPN router on your own premises. Configure your internal routers such that traffic for the VPC address block will flow over the VPN.
  • Start adding AWS cloud resources to your VPC. These resources are fully isolated and can only communicate to other resources in the same VPC and with those resources accessible via the VPN router. Accessibility of other resources, including those on the public internet, is subject to the standard enterprise routing and firewall policies.

Amazon VPC offers customers the best of both the cloud and the enterprise managed data center:

  • Full flexibility in creating a network layout in the cloud that complies with the manner in which IT resources are managed in your own infrastructure.
  • Isolating resources allocated in the cloud by only making them accessible through industry standard IPSec VPNs.
  • Familiar cloud paradigm to acquire and release resources on demand within your VPC, making sure that you only use those resources you really need.
  • Only pay for what you use. The resources that you place within a VPC are metered and billed using the familiar pay-as-you-go approach at the standard pricing levels published for all cloud customers. The creation of VPCs, subnets and VPN gateways is free of charge. VPN usage and VPN traffic are also priced at the familiar usage based structure

All the benefits from the cloud with respect to scalability and reliability, freeing up your engineers to work on things that really matter to your business.

Jeff Barr did a great job of giving a little more detail on his blog but also brought up a couple of points I need to noodle on from a security perspective:

Because the VPC subnets are used to isolate logically distinct functionality, we’ve chosen not to immediately support Amazon EC2 security groups. You can launch your own AMIs and most public AMIs, including Microsoft Windows AMIs. You can’t launch Amazon DevPay AMIs just yet, though.

The Amazon EC2 instances are on your network. They can access or be accessed by other systems on the network as if they were local. As far as you are concerned, the EC2 instances are additional local network resources — there is no NAT translation. EC2 instances within a VPC do not currently have Internet-facing IP addresses.

We’ve confirmed that a variety of Cisco and Juniper hardware/software VPN configurations are compatible; devices meeting our requirements as outlined in the box at right should be compatible too. We also plan to support Software VPNs in the near future.

The notion of the VPC and associated VPN connectivity coupled with the “software VPN” statement above reminds me of Cohesive F/T’s VPN-Cubed solution.  While this is an IaaS-focused discussion, it’s only fair to bring up Google’s Secure Data Connector that was announced some moons ago from a SaaS/PaaS perspective, too.

I would be remiss in my musings were I not to also suggest that Cloud brokers and Cloud service providers such as RightScale, GoGrid, Terremark, etc. were on the right path in responding to customers’ needs well before this announcement.

Further, it should be noted that now that the 800lb Gorilla has staked a flag, this will bring up all sorts of additional auditing and compliance questions, as any sort of broad connectivity into and out of security zones and asset groupings always do.  See the PCI debate (How to Be PCI Compliant In the Cloud)

At the end of the day, this is a great step forward toward — one I am happy to say that I’ve been talking about and presenting (see my Frogs presentation) for the last two years.


  1. August 25th, 2009 at 21:28 | #1

    Ok so the private cloud parade is very quick to chalk this up as a win but it's not – "Virtual Private Cloud" is just another name for "hybrid cloud" which [in this case] incorporates both public and private services, while "private cloud" is positioned as an alternative to public cloud. Most useful cloud deployments are in fact hybrid cloud (think SSO, migration, sync) and as one of the primary private cloud opponents I've actually been very supportive of such nomenclature:

    "All is not lost though, as most of what people are calling "private clouds" have some "public cloud" aspect (even if just the future possibility to migrate) and can be classed as a "hybrid cloud" architecture. Indeed according to the likes of HP, Citrix and Nicholas Carr (and myself) most large enterprises will be looking to run a hybrid architecture for upto 5-10 years (though many early adopters have already taken the plunge). Yes it's semantic but the important difference is that you're not claiming to be a drop in replacement for cloud computing, rather a component of it. You can expect a lot less resistance from cloud computing partisans as a result."

  2. August 25th, 2009 at 21:38 | #2

    I'm sorry, but even with the exalted rulings of "HP, Citrix, Nick Carr & You" — none of which have much play in Private Cloud anyway — the fact that you've somehow invented the fact (as you stated in Twitter while pointing here) that "Private cloud purports to be a drop in replacement while VPC (aka hybrid) is a complement to public cloud."

    Please point to where this point is made and how, after numerous debates articulating that Hybrid Clouds (and ultimately Inter-Cloud) is where we are headed, you're somehow now saying something different after all this time.

    I think it's humorous that you have simply chosen to dodge the definitional bullet by ignoring the significance of AWS' announcement of VIRTUAL PRIVATE CLOUD as a stepping stone toward Hybrid Cloud/Inter-Cloud and simply handwaved the discussion by talking about Hybrid Cloud which is NOT what VPC is.

    I'll be defining that difference for you in my next post…



  3. August 25th, 2009 at 22:47 | #3

    Nope, still not getting it.

    The use of public or private IP addresses, and the NAT'ing thereof, is not a security feature. The use of VPN to segregate is kind of neat but still unreliable in operation.

    And I like the idea of shifting blame for failure onto some sort of undefined, non-resolvable, non-targetable external source 'in the cloud'. I'm looking forward to root-cause analysis for outages in cloud heh.

    Nice option for testing or a playground perhaps. No doubt, other non-core activities or low profit / low value services can use this kind of service. But I'm not seeing your side of the story yet.

  4. August 25th, 2009 at 23:00 | #4


    Not getting what, exactly?

    I'm not sure what you're expecting as "[my] side of the story."

    There are two things I think you are confusing here: (1) The market's adoption of connectivity capability between their Private Clouds/Internal infrastructure and that of a Public Cloud provider and (2) the security thereof.

    I simply discuss/describe the reality of where I see customers going in terms of #1 while pointing out the fact that we're FAR from perfect as it relates to #2…

    What is it you think I'm trying to say — that somehow this is "secure?" I'm not and never have, but at the same point, it does no good to pretend that Private Cloud/Virtual Private Cloud is not going to happen — Amazon isn't any longer.


  5. August 26th, 2009 at 00:15 | #5

    There you go using "private cloud" and "virtual private cloud" interchangeably when you know well they are two very different things – "private cloud" [purportedly] being a better/faster/cheaper/safer version of "public cloud" and "virtual private cloud" being VPN-connected clouds or in this case more like a replica of Google's Secure Data Connector.

    Amazon have said absolutely nothing about private cloud – rather talking about introducing cloud to legacy infrastructure, VPC being a "secure and seamless bridge between a company’s existing IT infrastructure and the AWS cloud" – they have not legitimised, substantiated or validated anything beyond the fact that there is data inside today that they need access to from outside.


  6. August 26th, 2009 at 01:58 | #6

    I wonder if Amazon's next step will be to partner with a hardware supplier like Dell to produce EC2 appliance servers which go into customer data centres, running at the "private" end of this public-private network link? Provisioning of services on those EC2 appliances would happen through the same EC2 interface as standard instances, but with the geographic region being the clients hosting center?

    If a customer was talking of a minimum commitment of perhaps $500,000 per year of EC2 resources, some local servers wouldn't be a significant cost on top of that.

  7. August 26th, 2009 at 03:44 | #7

    I am jumping for joy with this announcement. While all the server huggers fight the concepts of cloud computing, I embrace each advancement. Now my hybrid cloud solution http://www.kavistechnology.com/blog/?p=1163 just got much simpler because I don't need two different vendors to source it. One vendor, one set of SLAs, one reputable company!

    For all the naysayers, just remember that there are companies like mine that are built in the cloud from scratch and never intend to build a datacenter or buy a physical server for that matter. So what doesn't work for you actually works great for me!

  8. August 26th, 2009 at 04:31 | #8

    I already have such a thing. I have web servers that send processing up to payment providers when someone purchases something via credit card. Cloud computing!

  9. August 26th, 2009 at 08:17 | #9

    What's the news here? That Amazon is announcing this and that they call it private cloud. Everything else is "déja vu". HP amongst others has been proposing the same since 2005 under the name "Flexible Computing". So, frankly, I don't understand why people are getting so excited about this.

  10. August 26th, 2009 at 08:23 | #10


    Private virtual environments are existing for quite a while. They work great and have good return. Whether they are called cloud or not is frankly irrelevant. The benefit of the "cloud", in the public sense of the term, is that it can leverage the needs of many customers, hence has a potential of great elasticity, and its datacenters have the potential to run at higher efficiencies. "Private Clouds" have less of that potential as they limit the leverage to one enterprise. So, in my mind it makes sense to talk about virtualized data centers or next generation data centers, or highly leveraged data centers or something similar. Calling them cloud blurs the boundaries and confuses people.

  11. August 26th, 2009 at 19:18 | #11


    Compared to Google Search (which Google do put in a box called the Google Search Appliance) it would have been trivial to put Google Apps in a box. Did they? No. Because their strategy is, like Amazon's, based on public cloud. As it should be.


  12. August 26th, 2009 at 19:19 | #12
  13. August 27th, 2009 at 02:39 | #13

    I think what Amazon is doing with VPC is great and good for the industry but it's not a true private cloud, it's something new and this is more than just semantics IMHO. I wrote this up recently here: http://silvexis.com/blog/2009/08/26/amazon-vpc-a-

    It struck me while writing my article that at least one company (HP) has a private cloud right under their noses but they don't think of it this way. I didn't even think of it that way when I worked there, I had to leave HP to see it clearly. Part of the issue is that they started creating their "private cloud" long before people were calling anything cloud computing. I'm going to have to explore this a little bit more in a future post. The point here however is that while what Amazon has just created is great, it's not what most would call a private cloud. More fuel for the "just what is cloud computing" definition fire.

  14. August 27th, 2009 at 05:47 | #14


    …I'm running to the airport with my kids, so this will be brief, to be expanded upon later:

    A "true" Private Cloud? Well, perhaps that's why they called it a "Virtual Private Cloud" in the first place? It's a STEPPING STONE to merging private clouds (per your definition, if you like) and public clouds into what ultimately will become hybrid Clouds.

    By your definition:

    "… but for most the definition of “private cloud” means a dedicated cloud computing environment where CPU, bandwidth and storage are private to one customer (perhaps your own data center or a remote data center that you have a contact with). Since Amazon VPC only offers private access but shared CPU, bandwidth and network it’s not a true private cloud."

    I think it's humorous that people are looking at AWS' VPC as a destination rather than simply the first in this journey.

    Regardless of who you are voting for, Private Cloud has been further legitimized with this important step.


  15. August 27th, 2009 at 17:05 | #15

    Interesting blog post! Maybe it's not clear to folks who have ot been in the market that for some time now (~1 year?) enterprises have been falling in love with cloud computing. "Cloud? Yeah, I want one! I mean, I want my own. My own private cloud." Of course by and large they didn't know what a cloud really is, never mind a private cloud, nor did they really know why they needed a private cloud. But it was clear that trying to get everyone into an EC2-like public cloud was going to be like pushing rope. We felt it, and clearly Amazon heard it too.

    Amazon's VPC is clearly their answer to the often knee-jerk "I want a private cloud" reaction. It clearly only goes part-way. We can all debate until we're blue in the face whether it's enough or not. I believe the truth is that there will be a whole range of solutions and that all of them will find lots of buyers. I'm convinced that in the long run the number of private/in-house clouds will trend to zero, the question is really about the time-frame. I'm sure it's gonna be long enough for a couple of generations of startups to come and go…

    The first time I thought about the concept of a private cloud I immediately rejected it for similar reasons as Werner mentions (but he phrases them damn well). But he forgets about something that I believe is a key ingredient in 'cloud', which is that it is fully automatable, by which I mean that all layers of the stack, from an IP address all the way to a multi-server, multi-datacenter cluster can be fully managed through automation. This is the technical innovation that enabled a new generation of systems management services like RightScale to exist. Werner dismisses that by saying "Virtualization and increased automation may give them some improvements in utilization, but they would still be holding the capital, and the operational cost would still be significantly higher." What he conveniently overlooks is that if you can't use an outsourced "true" cloud for whatever reason, you can still benefit tremendously by moving to a private cloud and reaping the reduction in management cost and increase in flexibility.

    Across the board I believe that we will see all permutations of virtual, physical, in house, public, private hybrid, outsourced, whatever clouds. The question really boils down to which should you sell or buy,depending on which side of the equation are you on.

  1. August 26th, 2009 at 01:47 | #1
  2. August 26th, 2009 at 08:47 | #2
  3. August 26th, 2009 at 09:26 | #3
  4. August 26th, 2009 at 09:35 | #4
  5. August 26th, 2009 at 13:00 | #5
  6. August 27th, 2009 at 04:15 | #6
  7. August 31st, 2009 at 09:03 | #7
  8. September 10th, 2009 at 04:18 | #8
  9. March 28th, 2011 at 09:35 | #9
  10. November 12th, 2011 at 14:45 | #10
  11. October 23rd, 2013 at 03:57 | #11