Let’s talk about Virtual Private Networks in hybrid cloud environments. While working on a big project, like FiFo.cloud (and VPN), we always try to dogfood our solution. This practice helps to focus on the real problems and not wander off into the land of feature creep. As part of this, we are running systems on Packet, DigitalOcean, OVH, our test lab and at home.
Now the experience to manage systems that spread out from one place is quite lovely. That said we identified one slightly annoying limitation: when creating zones in different areas connecting them is a huge pain.
The pain of multiple segregated networks destroyed the experience we want to deliver – seamless integration of a multi-cloud or hybrid environment. If you have to setup routes, and forward ports it is not the experience we want to provide or use ourselves.
FiFo.cloud VPN
Enter FiFo.cloud VPN! Thinking about how to solve these problems we looked at a few solutions and weighted pros and cons of the different possibilities. In the end, we decided that a mesh VPN is pretty close to what we would want ourselves. If anyone has ever set up a VPN, they know that it is not exactly something that falls into the category of “fun” (spoiler: it is not). Instead, it is boring, error-prone, legwork – so we automated it. FiFo.cloud can create a full mesh VPN over all your host. All you have to do is activate the VPN feature and select a host to enable!
The design
The Fifo.cloud VPN is split into two separate planes: control and data. Second, it keeps the data close to your hosts as packets. We can take the direct route between them instead of having to go through a VPN endpoint. Not only does that keep traffic down it also optimizes latencies. In other words, the network performance, both throughput, and latencies are solely dependent on the connection between your hosts not on our network. Last but not least it allows us to keep the costs down.
However, this is not all! You are not merely limited to a VPN connecting your hosts. With FiFo.cloud you can now create overlay networks that span this VPN making it one big transparent network. As a result, it is possible to treat a multi-cloud or hybrid-cloud model as one big installation.
Limitations
We believe we should never just mention ‘the good.’ In the end, all technological decisions are tradeoffs, and it is important to be clear about them. So let’s take a moment to look at what the FiFo.cloud VPN is not.
First and foremost FiFo.cloud VPN is not a consumer product. The VPN is a tool for experts specifically designed to server a need: interconnection in hybrid or multi-cloud setups. In the same sense, it is not a privacy tool, the mesh design and the fact that we do not route traffic means that connections between your hosts are connections between your hosts. Moreover, while links are encrypted to provide security against eavesdropping the entire connection metadata remains intact.
Coming right back to the last topic, the FiFo.cloud VPN does not route traffic. As a result, we do not provide a gateway or exit nodes on it. You can of course setup your gateways for overlay networks, but that is something that has to happen in your own infrastructure.
Throughput is another thing to keep in mind. Using a VPN will reduce the throughput compared to an unencrypted connection. While it might not make that much difference in a multi/hybrid cloud setup, remember: if it is crucial, benchmark it yourself. However, again given the decentralized architecture no single choke point needs to serve the full throughput of the network. The nodes talking to each other is the determining factor for network speed.
Last but not least you are responsible for your traffic. With the FiFo.cloud VPN we do not provide dedicated interconnects between cloud providers! In other words for all traffic generated on your VPN, the normal ingress and egress rates of your providers will apply.
Interested? Say Hi!
At the point of writing this the FiFo.could VPN is in a closed beta. Internally we already use the FiFo.cloud VPN with great success. However, we want to make sure edge cases are covered before rolling it out to the broad feature. So if are interested and want to give it a try, or talk to us about it – let us know and give it a try (mail: to support at project-fifo dot net or use the little ‘Help button’ on the bottom of fifo.cloud)
Leave a Reply