AWS Partner Network (APN) Blog
Enabling Business Partners to Access AWS Applications with Alkira’s Extranet-as-a-Service
By Misbah Rehman, Sr. Director Product Management – Alkira
By John Brunot, Partner Solutions Architect – AWS
By Andrew Johnson, Solutions Architect – AWS
Alkira |
When companies decide to collaborate, they often need to share digital resources. The extranet provides a mechanism for sharing information in a secure fashion. In simple words, think of extranet as a secure bridge between businesses that’s especially useful for businesses using cloud platforms like Amazon Web Services (AWS).
Previously, companies relied on physical data centers. Organizations expanded the reach of data centers to other businesses using hardware equipment and private connections. This allowed for sharing applications and other network resources within a partner’s networks.
When companies migrate to public cloud service providers like AWS, they need to use new mechanisms outside of hardware and private connections. Some of these include virtual routers, firewalls, and other cloud-based networking services like AWS Cloud WAN and AWS Transit Gateway (TGW).
In this post, we will focus on scenarios for extranet when customers applications are in AWS. We’ll also discuss various ways to use extranet and traditional approaches to support it. An introduction to Alkira’s new Extranet-as-a-Service (EaaS) solution will be provided. Finally, we’ll give an example of customer deployment and explain the benefits of using the Alkira EaaS.
Alkira is an AWS Specialization Partner and AWS Marketplace Seller with the Networking Competency. Alkira reinvents networking for the cloud era and allows enterprises to build networks with cloud-like speed, agility, and scale.
Common Use Cases for Extranet
In the digital age, collaboration is no longer nice-to-have; it’s a must. Here are some common use cases for extranet:
- Enabling partner access: This scenario involves allowing vendors, suppliers, contractors, or technology partners to use your internal applications. Keeping things secure is very important, as you should only allow access to what’s necessary. We’ll discuss how Alkira can help secure your AWS applications.
- Mergers and acquisitions: During mergers and acquisitions, extranet is widely used for securely integrating different networks.
- Managed IT: Managed IT services often require deploying extranet to provide secure access to applications and resources for customers.
Challenges in Traditional Approach to Extranet
In the past, companies used their own data centers to connect to partners’ networks. Shared applications and resources were usually found there and sent routers to partner locations to make the connection. They then extended connectivity using an IPsec virtual private network (VPN) or private multi-protocol label switching (MPLS) connections. This requires configuring firewalls and routers to secure and isolate partner networks from internal networks.
Figure 1 – Legacy extranet design for connecting partners to internal applications.
This approach has limitations, especially for cloud-based applications. Customers don’t want to route traffic through on-premises data centers because it can introduce latency and complexity. Likewise, building and managing similar cloud systems is hard.
Hence, there’s a need to have an extranet solution that aligns with specific cloud-native options and architectures.
Alkira’s Extranet-as-a-Service
You can learn more about Alkira’s solution in general by reading this AWS blog post. Alkira’s solution provides the following capabilities:
- Worldwide connectivity: Alkira’s network connects businesses globally, allowing it to share resources quickly and reliably.
- Segmentation for security: Partnerships may differ in terms of trust levels, but Alkira’s segmentation ensures each partner gets their own isolated network.
- Network address translation (NAT): Many customers might utilize overlapping IP address space, but Alkira’s NAT feature allows enterprises to manage IP conflicts across partners gracefully.
- Integrated security: Alkira’s marketplace offers firewall solutions from top security partners. Enterprises can select the partner of their choice to inspect traffic going towards Amazon Virtual Private Cloud (VPC).
To understand how Alkira’s EaaS works, let’s look at a customer’s use case where they want to design and put in place a partner integration solution with Alkira. This will allow their partners to have access to AWS-hosted applications.
- Alkira connects partner applications, users, and sites to its global Cloud Exchange Points (CXPs). These are global interconnection hubs designed to facilitate secure and seamless connectivity between different businesses, data centers, and cloud environment. CXPs are available in all AWS regions, and this minimizes latency and addresses data localization requirements.
- EaaS separates partners into different network segments which creates separate routing domains. Shared applications are dedicated for each partner, and they can also be mapped to the corresponding partner segments, as shown in Figure 2.
Figure 2 – EaaS separates partners into different segments.
- In case applications are shared across different partners, it’s recommended to have a separate shared application segment. Each partner will be in their own separate segments, and then leverage Alkira’s resource sharing capability to share applications across different partners, as depicted in Figure 3.
Figure 3 – Resource sharing capabilities to share applications across different partners.
- To prevent IP address conflicts, NAT options are also available.
- Alkira’s solution allows for flexible connectivity options to terminate partner networks. You can connect partner devices or users using IPSec, SD-WAN, MPLS, or Secure Connect (Alkira’s remote access solution).
- To implement security, customers can deploy firewalls from top security vendors through Alkira’s marketplace. These firewalls inspect traffic directed by CXP to and from the partner network before it reaches the Amazon VPC application.
Enabling Alkira’s EaaS for AWS-Hosted Application
The real value of any services shines in real-world use cases. A particular FinTec firm’s journey with Alkira paints this picture in two use cases: merger and acquisition (M&A), and partner access.
When this customer merged with another group, they faced two problems: sharing resources and overlapping internal IP address spaces. In the case of partner access, they wanted to connect users and applications within their and partner’s network.
Use Case: Mergers and Acquisition
The acquisition mandated the consolidation of critical shared services between the companies, utilizing the AWS-hosted services of the parent company. This required the acquired company’s network to communicate with the parent company’s networks, which was achieved through Alkira’s resource sharing functionality.
This allowed for selective or complete sharing of resources between network segments. Only the parent company’s shared service VPC was integrated into the acquired company’s network.
In addition, the FinTech needed to address overlapping IP addresses between the networks. By implementing Alkira’s NAT feature, they avoided potential communication issues. For the acquired company to access shared services like domain name system (DNS) and dynamic host configuration protocol (DHCP) the parent company’s network, communication was initiated from their side, using Alkira’s Port Address Translation for overlapping addresses and 1:1 static NAT for shared services.
Figure 4 – FinTech’s architecture utilizing shared services and NAT.
Use Case: Partner Access
In addition to providing connectivity between the parent and acquired company, the FinTech client leveraged Alkira to simplify partner access to their internal systems, facilitating user-to-application and application-to-application connections. They also established connections to partner sites through direct connect or IPSec from branch locations.
For application-to-application links, partners had two options: integrate their Amazon VPCs via Alkira’s cloud connector, or connect via IPSec to their AWS Transit Gateways or Virtual Gateways without sharing cloud credentials.
To maintain security and separation, Alkira’s traffic policies were set to block all intra-partner access by default, connecting partners using an extranet segment. Alkira’s NAT was implemented to prevent IP address conflicts.
Furthermore, all partner traffic was mandated to pass through a firewall—deployed from Alkira’s marketplace—before entering the client network, ensuring compliance with their stringent security requirements.
Figure 5 – Partner access to FinTech applications with stateful inspection.
Benefits of Alkira’s EaaS
Across all of the capabilities, Alkira’s extranet-as-a-service solution provides customers:
- Hassle-free “as-a-service” platform, eliminating the challenges of a suboptimal do-it-yourself extranet solution.
- Global deployment, locally in the same region as your AWS application.
- Enterprise-grade security, supporting segmentation, micro-segmentation, and service insertion capabilities.
- Resource sharing between partner segments and application segments.
- Addressing IP address overlap issues with NAT.
- Flexible connectivity options for partner networks.
- Centralized control and management, advanced monitoring, visibility, and troubleshooting tools via Alkira’s portal.
Conclusion
Alkira offers a complete platform for EaaS. It allows secure access to AWS cloud applications from outside your network. Whether it’s partners, customers, contractors, or another company’s network, Alkira can assist businesses seeking a simplified and scalable EaaS solution that works worldwide.
To get started, visit Alkira’s AWS Marketplace listing or Alkira’s website.
Alkira – AWS Partner Spotlight
Alkira is an AWS Specialization Partner that reinvents networking for the cloud era and allows enterprises to build networks with cloud-like speed, agility, and scale.