Amazon is again moving the cloud world forward a number of notches. Just as soon as the competition catches up, they hit the TurboButton and shoot forward leaving the rest of them in their dust. Today they have announced one of the biggest features to date, I believe, of their AWS offering. The ability to run a virtual private cloud within their public cloud offering.
What does it all mean? Well in a nutshell, it is a service that completely ring fences a set of Amazon EC2 instances into their own secure network, with the IP addresses, coming from you, not Amazon. These EC2 instances are completely isolated and not accessible, so much so, that their Amazon Security Groups don't even work in this area.
They achieve this by offering a IPSec VPN endpoint to connect your network with your new private Amazon network. You setup the Amazon private cloud detailing which subnets it will be handling, and then you decide, at your premises, how much of that data will flow over the VPN connection to that cloud.
Data in and out of the virtual private cloud, moves only through the VPN connection, therefore, going through your data center. It literally is an extension to your existing infrastructure. Instead of building out that second rack of servers, you can now securely build it out over at Amazon, with all your network policies and procedures intact.
Sadly, even though it is your private network, with your IP addresses, you still can't multicast or broadcast to your instances, which is a bit of a shame there. That is still one of the most annoying features of Amazon (although in all fairness many of the cloud providers suffer this also).
Charging for this service is the usual pay-as-you-go model, with $0.05 for every hour the VPN gateway is connected, and you are charged their usual data rates for data coming in and out.
This service isn't suited for running high-traffic public servers (as every data packet has to flow through your data center and up through the VPN connection), so services like Amazon Load Balancing, Auto Scaling aren't available to EC2 instances within the private cloud. Naturally, Elastic IP does not make a whole lot of sense in this world either.
Amazon Virtual Private Cloud comes at the right time for any IT department faced with an increasingly shrinking budget but requiring more processing, and not not wishing to further extend VMWare over the little hardware they do have spare.
At the moment, the service is in limited beta and Amazon is not offering any SLA to this service, so it is not a service you can rely on just this moment.
To that end there are a few little kinks in the system. For example, the private cloud is completely isolated from the public internet and the Amazon network. So any talking to Amazon S3 for example, goes out through the VPN, through your data center and back to Amazon. You can argue for and against that thinking. Plans are afoot to enable the Private Cloud direct internet access via a dedicated gateway address.
Secondly, IP addresses within the private cloud are randomly assigned from your subnet when you fire up an Amazon EC2 instance. Hopefully this will be a short term thing, as this could be very problematic for a data center that only wants certain IP addresses to be running inside the private cloud.
Finally, this service is only available in their East coast data center. So Europeans concerned about physical data locations will have to wait.
Amazon have done it again. Once these kinks have been ironed out, and if they can prove to the world they really do have an isolated network, then this service will dramatically change how we think about the private vs. public cloud when it comes to designing the next evolution of data centers.