ITProtoday.com presents Vol.

2, Issue 9 October 2019

Get Started with Multicloud

Integration, Management
and Optimization
Few enterprises have a wholly
homogenous cloud environment.
Here’s how IT professionals can best
integrate, maintain and optimize
their heterogeneous platforms.
By Christopher Tozzi

Copyright ©2019 Informa USA, Inc., All Rights Reserved

 PREV NEXT

CONTENTS The Goals of Multicloud Architectures. . . . . . . . 3

Two Categories of Multicloud
Workload Deployments. . . . . . . . . . . . . . . . 4
Integrating Multicloud Workloads . . . . . . . . . 5
Monitoring in Multicloud Environments . . . . . . 6
How to Optimize Workload Performance
in a Multicloud Environment . . . . . . . . . . . . . 7
Upgrading and Expanding Multicloud
Environments. . . . . . . . . . . . . . . . . . . . . 9
What It Takes to Secure a Multicloud
Architecture. . . . . . . . . . . . . . . . . . . . 10
Identify Anti-Patterns in Multicloud
Architecture. . . . . . . . . . . . . . . . . . . . 11
Balancing the Benefits Against
the Challenges . . . . . . . . . . . . . . . . . . . 12
TABLE OF

ITPro Today Issue #9 • October 2019 • Visit us online at itprotoday.com 2

T The Goals of Multicloud
he world is more than a decade
into the age of cloud computing Architectures
and having just one cloud is often Managing a multicloud environ-
no longer enough. Instead, enterprises are
ment starts with understand-
increasingly adopting heterogeneous cloud
ing the goals that multicloud is
architectures that combine resources and
intended to deliver. Since more
services from multiple public and private
clouds mean more risk and
clouds. In many cases, those clouds exist
more complexity to manage, the
alongside, and must integrate with, on-
decision to add multiple clouds
premises infrastructure as well.
to an infrastructure should not
Managing one cloud in a way that ensures be made haphazardly; it should
reliability, performance and cost-efficiency is instead reflect specific business
challenging enough. But when an enterprise goals that are best served by
introduces multiple clouds from different using more than one cloud.
vendors into its infrastructure, the difficulties
of maintaining and integrating cloud-based There are several such goals
resources multiply. that might push an enterprise to
implement a multicloud archi-
Enterprise IT organizations must implement tecture. One common goal is to
solutions that let them monitor, analyze and reduce cloud computing overhead
secure multicloud environments effectively. by finding the most cost-effective
They must also adopt processes for upgrad- options from the cloud service
ing and expanding infrastructures composed menus of multiple vendors. By
of disparate clouds. increasing the number of options
This report, intended as a guide to multicloud management, available, multicloud helps enterprises establish a configuration
examines these challenges and their solutions. It discusses of services that serves their needs at the lowest cost. Achieving
the various tasks and considerations that arise in a multi- optimal return on infrastructure spending can be more difficult
cloud environment and identifies best practices for address- when a business is locked into just one cloud vendor and thus
ing them in ways that help enterprises achieve the goals that has no opportunity to comparison shop when adding a new
typically lead them to pursue multicloud infrastructures. type of cloud service.

ITPro Today Issue #9 • October 2019 • Visit us online at itprotoday.com 3

 A second common reason for adopting mul-
ticloud is to gain access to different services
offered by different vendors. Although core
cloud computing services, such as virtual
When an enterprise introduces
server and container hosting, are available
from all major cloud vendors, some clouds
multiple clouds from different vendors
offer specialized types of services that are
not available from competitors; others may into its infrastructure, the difficulties of
maintaining and integrating cloud-based
offer specific configurations that are propri-
etary only to one vendor. For example, one
cloud may offer a certain type of container
orchestrator or Linux distribution that is not resources multiply.
supported by other clouds.
Third, multicloud architectures have also deeply dependent on that cloud vendor’s fall into one of two categories. The first
become popular as a way to improve the re- tools and services. Not only does that involves deploying the same workload on
liability and availability of cloud-based work-
make migration to other clouds difficult, it two or more clouds simultaneously. For
loads. When workloads are spread across
also presents possible budget risks when example, a business might store copies of
multiple clouds at the same time, disruptions
the vendor raises costs. Using multiple the same data in both AWS S3 and Azure
to those workloads are less likely, because
clouds inherently pushes businesses to Storage. By spreading data across multiple
if one of the clouds hosting the workload
fails, the other still remains available.This adopt practices and tools that are cloud-ag- clouds, that business would gain greater
availability is predicated upon the workloads nostic and can be used on any cloud. By availability and reliability, while paying the
being configured in such a way that they can extension, if a multicloud business chooses higher costs that arise from mirroring data.
continue running even if one cloud fails. in the future to swap one cloud vendor for The other main type of multicloud deploy-
another, or to migrate a particular workload ment pattern: running multiple workloads
Finally, multicloud strategies help enter- to a new cloud, it is typically easy to do so
prises mitigate the risk of vendor lock-in. at once, with some workloads running
without the encumberment of lock-in. in one cloud and the others in another
Although it is certainly possible to develop
a single-cloud strategy that gives a business cloud. This approach provides the cost
the freedom to move workloads to anoth- Two Categories of Multicloud efficiency and cloud agnosticism benefits
er cloud without great difficulty, it is also Workload Deployments described above, but it does not make
easy when using just one cloud to become Most multicloud workload deployments individual workloads more reliable than

ITPro Today Issue #9 • October 2019 • Visit us online at itprotoday.com 4

 they would be if the business used just a
single cloud.
It’s possible to use both types of deploy-
ment strategies at once, too. Some work-
loads might be distributed across multiple
clouds to maximize availability, while
others are hosted in one cloud or another,
depending on which cloud offers the best
pricing for a given use case.
Integrating Multicloud Workloads
No matter whether workloads are dis-
tributed across clouds, or an enterprise
chooses to use different clouds to host
different workloads, it’s typically necessary
to integrate those workloads with each
other. Integration takes many forms: shar-
ing data between workloads; managing all
workloads from a central monitoring hub;
unifying all workloads within a common
security and access-control framework,
to name just a few examples of common
integrations that make multicloud architec-
tures easier and more efficient to manage.
The chief challenge in achieving multicloud
integration is, generally speaking, cloud
vendors do not go out of their way to
make it easy to integrate a workload run-
ning on one cloud with another workload
hosted on a competitor’s cloud. Most
ITPro Today Issue #9 • October 2019 • Visit us online at itprotoday.com
cross-cloud compatibility tools provided
by cloud vendors focus on importing
workloads from another cloud, rather than
offering support for ongoing integration
between workloads spread across clouds.
Consequently, enterprises typically turn
to third-party platforms or custom-built
solutions for integrating cloud workloads.
There are two main ways to go about
doing this. One is to rely on a type of tool
called a universal control plane, which
abstracts workloads away from the under-
lying clouds that host them. IT teams then
deploy, manage and integrate those work-
loads through the control plane’s interface.
With a universal control plane, businesses
do not need to rely on individual cloud
vendors’ tools to integrate or manage
their workloads; all workloads appear
By increasing the number of options
available, multicloud helps enterprises
establish a configuration of services that
serves their needs at the lowest cost.
to be running in the same infrastructure
because they’re managed in one view.
Crossplane and Kubernetes are examples
of popular tools that can be used to cre-
ate a universal control plane for multicloud
architectures
The chief drawback of using this approach
to integrate multicloud workloads is
business are restricted to the feature set
and operational procedures of whichever
universal control plane is used. For ex-
ample, Kubernetes expects workloads to
be deployed as containers, and it requires
configurations to be managed in a partic-
ular way. Thus, Kubernetes may not be an
excellent multicloud integration solution
for businesses that have workloads to
deploy that cannot be easily containerized,
or whose IT teams lack expertise with
5
 the technical assumptions that Kuberne-
tes makes regarding how environments
should be configured.
Another approach to multicloud integra-
tion is to integrate cloud workloads via a
cloud-agnostic API which allows adminis-
trators to manage workloads using each
cloud’s native tools. Although the native
APIs that cloud vendors provide for their
various services are often easier to use
in conjunction with other services on the
same cloud, most such APIs are stan-
ITPro Today Issue #9 • October 2019 • Visit us online at itprotoday.com
dards-compliant and can connect easily
enough to resources on an external cloud.
Using APIs as the basis for multicloud in-
tegration offers enterprises a more gran-
ular level of control over how workloads
interact between clouds. It also allows
them to take full advantage of the native
functionality of the services on each cloud
they use, since those services are not
abstracted away, as they would be when
using a universal control plane.
However, the API approach also demands
more hands-on effort from IT personnel,
both up front and for maintenance. En-
terprises have to write custom code to
achieve integrations between different
workloads. They also have to maintain
that code and update it whenever cloud
vendors update their APIs.
Monitoring in Multicloud
Environments
The approach that enterprises take to in-
tegrating their workloads on a multicloud
architecture plays a major role in deter-
mining how they will manage and monitor
their environment.
For businesses that use a universal control
plane, the control plane’s management
interfaces and monitoring tools serve as
the basis for configuring and tracking the
environment. Depending on the extent
of the functionality that the control plane
offers natively in this regard, businesses
may or may not also choose to leverage
third-party management and monitoring
solutions that work with the control plane.
To go back to the example of a multicloud
environment created using Kubernetes, an
enterprise may wish to adopt an exter-
nal tool designed to collect data from
Kubernetes, identify anomalies and pro-
6

vide administrators with visualizations or
alerts to help them interpret the health of
their environment. Since Kubernetes itself
provides little in the way of native moni-
toring tools, third-party solutions would be
valuable in this context.
Alternately, if a business creates its own in-
tegrations between multicloud workloads
using APIs, the process of managing and
monitoring the multicloud environment
will be less centralized and may require
more manual effort (while also offering
more control). The business would need
to configure and manage workloads using
either APIs or by working from the man-
The chief challenge in achieving
multicloud integration is, generally speaking,
cloud vendors do not go out of their way to
make it easy to integrate a workload running
on one cloud with another workload hosted
on a competitor’s cloud.
ITPro Today Issue #9 • October 2019 • Visit us online at itprotoday.com
agement consoles of each of the clouds
that it uses; in the latter case, administra-
tors may find themselves having to navi-
gate between different management tools
on different clouds in order to manage the
same multicloud workload.
When it comes to monitoring a mul-
ticloud environment that is integrated
using APIs rather than a universal control
plane, enterprises must typically collect
monitoring data directly from each cloud
that they use, then aggregate that data in
a centralized monitoring tool. Fortunately,
this process is relatively straightforward
and does not require extensive custom
NEXT
programming since most modern cloud-
aware monitoring tools are able to extract
data directly from all of the major public
clouds.
However, it’s often necessary to do a cus-
tom configuration within the monitoring
tools so they work effectively with mon-
itoring data that originated from multiple
clouds. For example, a monitoring tool
may need to be configured to understand
that two databases running on different
clouds are part of the same workload and
should be monitored and analyzed as such
by the APM tool.
How to Optimize Workload
Performance in a Multicloud
Environment
Optimization (of workload performance,
reliability and cost) in a multicloud envi-
ronment boils down largely to planning
and strategy, rather than specific tools or
platforms. Although some APM tools can
help to identify performance bottlenecks,
downtime or cost-inefficiencies in the
ways that workloads are deployed in the
cloud, the greatest performance, reliability
and cost gains to be made in a multicloud
environment are unlocked by making the
right architectural decisions regarding how
workloads are structured and distributed.
7
 PREV NEXT

To optimize performance, enterprises

must first identify the likely bottlenecks
within a multicloud workload. In the case
of applications that are distributed across
clouds and rely on the public Internet to
exchange data between one cloud and an-
other, network bandwidth limitations are
the most common source of performance
problems. Thus, making intelligent deci-
sions about where the network fits within
multicloud workloads is a critical step for
optimizing performance.
Generally speaking, multicloud workloads
will achieve the best performance when
the amount of data they exchange over the
network between clouds (as opposed to
data transferred over a network within the
same cloud) is minimized. Thus, a workload Maximizing reliability (which means the the reliability of this workload would re-
that consists of a virtual server running in ability of a workload to remain available quire hosting instances of both the virtual
one cloud, and a database hosted in an- even if disruptions occur to the infrastruc- machine and the database in two or more
other, is not likely to perform well, because ture hosting it) in a multicloud environ- clouds at the same time, so that if either
data transfers over the Internet between cloud failed, the workload would be avail-
ment requires eliminating single points of
the database and virtual machine will be able from the other cloud.
failure within the architecture of a work-
slow. A better architecture for this type of
workload would be to host the virtual ma- load. The example above of a workload An important consideration for multicloud
chine instance and its accompanying data- that consists of a virtual machine in one reliability optimization is striving to ensure
base in the same cloud, but configure them cloud and a database in another is (in that no part of a workload in one cloud
to failover automatically to another cloud addition to being prone to poor perfor- depends upon a resource in another cloud
if necessary. This approach would improve mance) also not very reliable, because the to work, even if it normally communi-
performance while still taking advantage of failure of either cloud would cause the cates with resources in another cloud. For
multicloud to improve workload reliability. workload to stop functioning. Maximizing example, a business could distribute data

ITPro Today Issue #9 • October 2019 • Visit us online at itprotoday.com 8


across two clouds by mirroring copies of
the same data in both cloud’s storage ser-
vices. If the application that accesses the
data requires both copies of the data to
be available and in sync, a failure in either
cloud would cause the entire workload
to stop working. Instead, the application
should be designed to work even if one
copy of the data is not available. And if
the data copies are not in sync with each
other, the application will need to be con-
figured in a way that allows it to decide
which copy of the data to “trust.”
As for cost optimization in multicloud
architectures, the chief consideration, as
noted above, is for enterprises to make
intelligent decisions about which services
to consume from which cloud vendors,
based on the cost, performance and fea-
ture sets of each vendor. A best practice
when selecting a service is to determine
the essential features or functionality that
the service must deliver to host a given
workload, then look for the cloud provid-
er that offers all of those features at the
lowest cost.
Given the many variables and conditions
that affect cloud pricing, however, finding
the lowest-cost service based on desired
features can be challenging when business-
ITPro Today Issue #9 • October 2019 • Visit us online at itprotoday.com
The API approach also demands more
hands-on effort from IT personnel, both up
front and for maintenance.
es look only at the price lists for different
services. The process can be simplified by
using the cost calculators that most cloud
vendors provide to generate an estimate
of the actual cost of a given workload
running for a certain period under the
configuration that a business would use.
Then, compare that cost with the figures
provided by other providers’ calculators.
Attempting to predict the costs manually
based on price lists leaves an organization
at risk of overlooking some costs (such
as data egress fees, which can be easy to
forget when pricing a cloud service) and
arriving at an inaccurate estimate.
Upgrading and Expanding
Multicloud Environments
Cloud services are always changing their
service offerings, features and prices. Mul-
ticloud architectures must change too in
PREV NEXT
order to remain as effective as possible in
achieving their core goals.
Since multicloud environments and busi-
ness needs vary so widely, there is no
single best practice to follow for upgrading
and expanding multicloud architectures.
However, it is wise for businesses to
reevaluate their multicloud strategies on
a semi-annual or yearly basis, in order to
determine whether the configurations
they are using are still the best fit for their
workloads. They might find that anoth-
er cloud provider has introduced a new
service, or lowered its price for an existing
service, in a way that makes it a more
compelling choice for a given workload,
for example.
It’s worth noting, too, that even services
and prices within the same cloud can
change in ways that impact multicloud
strategies. A business’s cloud storage
9

service might introduce a new storage tier
that is a better fit for a customer’s needs,
for example. Or it may change pricing
for one of its cloud regions, giving extra
incentive to move workloads to a different
region.
In order to maintain the flexibility to
modify or expand multicloud architectures
whenever needed, it is a best practice
to prefer third-party management and
monitoring tools whenever possible, as
opposed to the native tools offered by
cloud vendors. As noted above, third-party
tools make it easier to avoid dependency
on a particular cloud. They also simplify
the process of expanding a workload into
a new cloud.
What It Takes to Secure a
Multicloud Architecture
Securing multicloud architectures is funda-
mentally more challenging than securing
a single cloud or an on-premises environ-
ment. Multicloud architectures simply have
more complexity, and therefore a greater
potential to be misconfigured in a way
that creates security vulnerabilities. In ad-
dition, because multicloud workloads are
often distributed between different clouds
and rely heavily on the network for com-
munication, they are exposed to greater
ITPro Today Issue #9 • October 2019 • Visit us online at itprotoday.com
levels of network-borne threats than are
workloads that exist within a single cloud.
Effectively addressing multicloud security
challenges requires taking a multilayered
approach to security by deploying tools
To optimize
performance,
enterprises must
first identify the
likely bottlenecks
within a multicloud
workload.
and processes that address each of the
threats that could impact a multicloud
environment.
The first layer to secure is the underlying
cloud infrastructures that host multicloud
workloads. Here, the identity and access
PREV NEXT
management, or IAM, tools and frame-
works provided by each cloud vendor are
a starting point, although enterprises can
also take advantage of third-party tools
that can audit IAM configurations for secu-
rity problems.
The multicloud workload itself must be
secured, too, using whichever tools and
processes are appropriate. If a workload
consists of a virtual machine and a data-
base, anyone responsible for securing their
enterprise should take steps to detect and
address vulnerabilities within the operat-
ing system running the virtual machine.
In addition, encrypt and secure the data
associated with the workload.
Ideally, any admin can tackle these tasks
via third-party tools that will work on
whichever cloud or clouds are hosting the
workload. In some cases, it is possible to
encrypt data or manage workload security
using a cloud vendor’s native tools, this
approach is less effective in a multicloud
environment, because no single native tool
will apply to all multicloud workloads.
A third layer to secure is the network.
Here, multicloud security can be particu-
larly challenging, because it is impossible
to define a clear network perimeter in
a multicloud environment where data is
10

exchanged constantly between different
clouds. Thus, the workload cannot simply
be placed neatly behind a firewall in order
to be protected from threats.
But that does not mean firewalls have no
place in multicloud environments. They are
still useful for helping to prevent unautho-
rized access to resources. A general best
practice is to configure a firewall on each
cloud that hosts a workload (or part of
a workload) using a whitelist approach,
which means blocking all traffic by default
and allowing only traffic from endpoints
that are known to be secure. For example,
a cloud firewall could be used to block
all traffic from the public Internet, except
traffic that originates from specific end-
points on an external cloud that are part
of the same workload.
Identify Anti-Patterns in
Multicloud Architecture
Perhaps the best way to think about
successful integration and management
of multicloud architectures is to identify
antipatterns, or counterproductive practic-
es that businesses sometimes follow when
working with multiple clouds.
One common anti-pattern is to use a
multicloud architecture for the simple
purpose of replicating data across multiple
ITPro Today Issue #9 • October 2019 • Visit us online at itprotoday.com
PREV NEXT
geographic areas. Most cloud vendors it will significantly decrease performance
allow data to be distributed automatically or bloat bills. Most cloud providers don’t
across various data centers that they own make information about egress perfor-
in different locations, so that if one data mance and pricing particularly easy to find,
center fails, the data remains available. This so this can be an easy mistake to make.
approach provides virtually the same level
A third anti-pattern to consider: the failure
of data reliability as using multiple clouds.
to integrate on-premises infrastructure
However, georeplication features are with multicloud environments. Although
generally limited to data that is hosted in enterprises that adopt multicloud strate-
the cloud. They don’t support other types gies can run many or most of their work-
of workloads, such as virtual machines. loads in the cloud, it is common for at
Thus, multicloud architectures are a good least some data and applications to remain
solution for businesses seeking to make on-premises for privacy, security, perfor-
entire workloads more reliable by mirror- mance or other reasons. The specific ap-
ing them across different geographic areas. proach that businesses take to connecting
these on-premises workloads with those
Another anti-pattern to spot and break: running in different clouds will vary, so it
don’t plan adequately for data egress rates. is important to keep on-premises com-
Egress refers to data transferred from one patibility in mind and avoid cloud-based
cloud into an external environment, i.e. an adopting tools or services that cannot
on-premises server or another cloud. Not integrate with on-premises resources.
only does sending data out over the Inter-
net introduce a risk of delays (since band- The final multicloud pattern to be wary of:
width on the Internet is typically much failing to evaluate the tradeoffs of multi-
more limited than it is within a cloud’s cloud architectures effectively. Although
internal networks), but it can also steeply multicloud provides important workload
increase cloud computing costs. That is accessibility and reliability and cost efficien-
because, in most cases, cloud providers cy, the tradeoff for these advantages, as ex-
plained above, is added complexity, greater
charge fees every time data egress occurs.
challenges in integrating workloads togeth-
For this reason, it is critical to architect er, a greater risk of security vulnerabilities
multicloud environments in ways that min- and more. Thus, it is crucial to perform a
imize data egress, especially in cases where proper cost-benefit analysis when consid-
11

ering a new multicloud service or work-
load. Pursuing multicloud for its own sake,
rather than because of a clear positive
gain, undercuts the advantages that multi-
cloud architectures can potentially confer.
Balancing the Benefits Against
the Challenges
Multicloud architectures deliver a range
ITPro Today Issue #9 • October 2019 • Visit us online at itprotoday.com
of benefits, but they also impose unique
challenges. IT pros will have to mitigate
the performance bottlenecks and reliabil-
ity shortcomings of workloads that span
multiple clouds; that secure multicloud
environments at every level and layer of
the infrastructure and workload; and that
reflect an intentional, well-planned effort
to realize the benefits of multicloud, with
an understanding of the tradeoffs intro-
PREV
duced by multicloud strategies.
There is extra work involved in Integrat-
ing, managing and optimizing multicloud
environments. But enterprises may benefit
from reducing the risks of vendor lock-in,
taking advantage of vendor-specific fea-
tures from multiple vendors, and enjoying
greater accessibility and reliability among
their enterprise workloads.
12