Amazon VPC, a not so private private cloud?

[caption id="attachment_323" align="alignright" width="150" caption="Amazon VPC"]Amazon VPC[/caption]

My next post was going to start defining the security referee concept I came up with previously but something much more interesting happened today: Amazon Web Services announced their newest addition, Amazon Virtual Private Cloud (VPC) which adds a new dimension to Amazon's cloud service offerings. Based on the information available, Amazon VPC works much the same way existing Amazon EC2 instances work with the very important exception that access to your EC2 instances are isolated within Amazons web services cloud network. To access your VPC instances you create an IPSec VPN tunnel between your organization and Amazon. Once set up EC2-VPC instances behave exactly like a local system on your network would, with whatever IP address you want to give it (including RFC 1918 addresses but not IPv6 addresses).

At first glance Amazon VPC is a significant new offering as it places you in direct control over the traffic entering and leaving  your EC2-VPC  instances (aside from the obvious that you are still trusting Amazon to configure and maintain things correctly on their end) and opens the door to enabling in the cloud hosting of all sorts of applications that previously you would only consider hosting internally. But is Amazon's Virtual Private Cloud really private?

You might accidentally make the mistake and think that EC2-VPC equals private and therefore dedicated resources but you would be wrong. Your EC2 instance may only be reachable by you over your VPN tunnel but your EC2 instance is running along side one or more public instances and using the same networking equipment. You might be saying this is obvious (It wouldn't be scalable for Amazon if it didn't) but for most the definition of "private cloud" means a dedicated cloud computing environment where CPU, bandwidth and storage are private to one customer (perhaps your own data center or a remote data center that you have a contact with). Since Amazon VPC only offers private access but shared CPU, bandwidth and network it's not a true private cloud. Amazon also has a plan to eventually allow VPC instances to selectively have direct access to the Internet if you wish it.

So what is Amazon really offering here? Is the only thing new here the addtion of a hardware based VPN tunnel and private VLAN? Perhaps and perhaps a better name for Amazon's service is Amazon Virtual Private Network Cloud because it seems like the network might be the only private part of this offering.

Unfortunately the debate still rages on regarding cloud computing definitions (I support the NIST definitions) and the term "private cloud" is getting a lot of attention because some claim there can be no such thing. I however have a good example of a private cloud that exists today: The HP Next Generation Data Center (NGDC) project. The HP NGDC  is a multi-year project at HP to consolidate the hundreds of data centers they have spread all over the world down to just a handful that embody all the properties of modern cloud computing. It's elastic, it scales, it's multi-tenant and best of all, it's running today. When I was at HP I was involved in several projects to move the SPI Dynamics applications (including the HP SmartUpdate software update solution I helped design) into the HP NGDC. I'm happy to say that move was completed several months ago and if you are an HP Application Security Customer, you are using the HP private cloud, you just didn't know it.

Here is the million dollar question: HP, why are you not advertising this, you have a huge cloud in your backyard and you haven't noticed it. Hey Russ Daniels Eliav Levi (HP's new CTO Cloud Computing), call me and lets talk. ;)

So while Amazon's VPC is not a dedicated offering and not as private as a true private cloud I still think it's a good step in the right direction for cloud computing infrastructure-as-as-service (IaaS) providers. VPC might not offer the dedicated truly private environment you might want to reserve for running your Windows Domain Controller but it's perfect for replacing all those QA labs and various "lab" systems that see very low utilization but needed an additional layer of protection before they could move into the cloud. In fact it's these environments that Amazon VPC might just be perfect for but truly private? That's up for debate.

Update: Aparently i'm not the only one thinking VPC is not so private, read Cloud Pulse: Amazon VPC pees in pool, not just on fire hydrant