Public cloud infrastructure-as-a-service (IaaS) providers, such as Amazon AWS, Microsoft Azure, Google GCP and Oracle OCI, allow organizations to use virtualized computing resources that are provisioned on-demand. Because Banyan Access Tiers can be deployed independent of the underlying network and managed via the Cloud Command Center, they can be integrated seamlessly into any IaaS environment.
Since each IaaS account can have multiple Virtual Private Clouds (VPCs) and span multiple geographic regions, a common IaaS deployment model is to treat every VPC as an isolated network segment and deploy an Access Tier per VPC.
In an Isolated VPCs deployment, we typically have:
*.myapp.corp.example.com) that is used in the fully qualified domain name (FQDN) for services in that VPC. You can create specific DNS entries for services that cannot follow this FQDN convention.
A key security benefit of Isolated VPCs deployments is that we can eliminate almost all East-West lateral movement. Even if an attacker were to establish a foothold inside a VPC, they could not move laterally into another VPC.
Another common IaaS deployment model is to designated a single VPC as an Ingress VPC and use VPC Peering to direct Internet traffic to other internal Application VPCs.
In a Designated Ingress VPC deployment, we typically have:
Because the Ingress VPC is peered to all internal Application VPCs, it needs to be thoroughly secured.
In more complex IaaS deployments that involve multi-region or multi-account connectivity, organizations may choose to use a dedicated network router - such as AWS Transit Gateway - to enable peering and routing between different VPCs.
In IaaS deployments that involve hybrid cloud connectivity, organization also use network routers - such Cisco ASA and/or AWS Transit Gateway - to connect datacenters and IaaS VPCs.
Banyan’s Access Tiers can be integrated seamlessly into these types of complex network topologies as well, because they run independent of the underlying network.