Business & Technology

Seamless Hybrid Cloud Security is Critical for VMware Cloud on AWS

By Warren Wu | August 28, 2017

With the announcements last year of the new VMware Cloud Foundation, and VMware’s partnership with Amazon Web Services, it is exciting to see the hybrid cloud truly realized this week at VMworld U.S. with the availability of VMware Cloud on AWS!  The cloud team here at Fortinet was equally excited to simultaneously announce that our flagship FortiGate virtual appliance now supports the critical public and hybrid cloud security use cases driven by organizations running VMware Cloud on AWS in conjunction with their on-premise VMware deployments.

VMware Cloud on AWS
is a hybrid cloud platform.  Combining VMware’s market-leading Software-Defined Data Center (SDDC) software stack - including vSphere, vCenter and vRealize - with flexible bare-metal infrastructure from AWS, the VMware Cloud on AWS solution makes it easier than ever for enterprises to extend their existing data centers and private clouds to a hybrid cloud environment for greater elasticity and agility.  Application mobility is now as simple as a few mouse clicks in vCenter to migrate applications between on-premise and hosted AWS environments. As the perimeter of the data center becomes increasingly blurred, it is important that user and data privacy remain seamless, regardless of where the information resides or whether or not it is on the corporate-owned infrastructure. 

At Fortinet, we’ve been heavily investing in cloud security for years, with VMware and AWS being two of our most important partners for, respectively, private and public clouds.  Our FortiGate VM for VMware Cloud on AWS features the identical FortiOS firmware and FortiGuard security services that are delivered for other hypervisors and public clouds.  But because the hybrid cloud raises additional security considerations – issues that we’ve been talking about with customers for more than a year - a major offering like VMware Cloud on AWS really brings those requirements into sharp focus. 

Here are three of the most critical cloud security requirements when looking at hybridizing private and public clouds:

Consistent Security Posture Across Private and Public Cloud Workloads

I’ve often asserted that a web server or any other workload should have the same security posture regardless of whether it’s running on physical, virtual, or cloud infrastructure. In other words, it’s all about the application.  While still true, that statement usually refers to different web applications or workloads that are persistent in the private cloud vs those an organization chooses to deploy in the public cloud.  With VMware Cloud on AWS, however, we are now entering an era where application migration and mobility is not a transitional occurrence, but a permanent state of being. In this new hybrid environment, the exact same application instance might be running in the private cloud one minute, and on AWS the next.  So it’s now even more critical that each application instance have a firewall and security posture that is both consistent and seamless across the hybrid infrastructure. 

To achieve this, organizations are increasingly looking to adopt the same trusted security vendor solutions and policy frameworks on both sides of their hybrid cloud.  Our FortiManager and FortiAnalyzer centralized management solutions enable a unified, single pane-of-glass for policies and events. And the Fortinet Security Fabric further provides a unified and actionable view of the firewalls and security deployed across a hybrid environment.  Some forward-looking customers are even choosing to deploy FortiManager or FortiAnalyzer instances on the public cloud side, where security management can manage both on-premise and cloud-hosted firewalls, while also leveraging elastic logging capacity and other agility native to the public cloud.

Secure Cloud Connectivity for Application Mobility

When we launched our initial VM offerings for public clouds a few years ago, we began to see within just the first few weeks curious use cases where customers wanted to use our FortiGate not for firewall, IPS, or other deep pack inspection, but solely for managing secure site-to-site IPsec VPN tunnels between their on-premise data centers and AWS or Azure.  Organizations quickly realized that in order to fully realize the benefits of the public cloud they needed high performing, reliable, and yet highly secure connections to safely migrate large amounts of application data.

Because VMware Cloud on AWS enables the evolution from app migration to app mobility, the same apps and data may move not just once, but multiple times back and forth, depending on such factors as instantaneous availability, reliability, and scalability conditions. This furthers the need for enterprise-class VPN, such as that provided by FortiGate, to handle one or both ends of a persistent hybrid cloud VPN connection. 

End-to-End Segmentation Within and Between Clouds

Of course, with the persistent movement of apps and data between private and public clouds, VPN alone will not be sufficient to maintain a robust hybrid cloud security posture. Not all data is treated with the same sensitivity, nor are all parts of a data center or hybrid cloud, so organizations may need to restrict highly sensitive applications and data to one part of the cloud. Or conversely, some less sensitive applications with greater Internet and threat exposure may need additional degrees of protection. Generally, more sensitive data would likely reside on-premise, and less sensitive data and apps in VMware Cloud on AWS. But there are also use cases that go the other way, such as keeping sensitive PCI-compliant customer data on the public cloud to limit the scope of PCI audits. 

It is critical, then, to not just tunnel, but also and inspect and segment application mobility between private and public clouds. A FortiGate appliance is not only able to provide Layer 2/3 firewall protection. As we have shown with Internal Segmentation Firewalls deployed on-premise, security should also be applied based on user, application, and data context - with commensurate performance in order to handle increased Layer 7 bandwidth requirements. 

Because many organizations have multiple applications running in their public cloud that may vary in their sensitivity level, internal segmentation should also be deployed between various public cloud workloads as well.  In AWS EC2, one way of doing this is with a Transit VPC firewall deployment for east-west inspection between workloads.  A similar construct can also be applied to workloads in VMware Cloud on AWS.


Cloud environments continue to evolve in order to meet the demands of today’s digital business models. Because new hybrid environments, such as VMware Cloud on AWS, often deploy critical services and sensitive information on both sides of the cloud connection, security solutions cannot afford to be isolated and independent. More than ever, these new, critical network environments require integrated security policies and enforcement that span the entire ecosystem. They also need to be combined with centralized orchestration and management to ensure consistent protection and immediate response to today’s increasingly sophisticated threats. FortiGate VM for VMware Cloud on AWS provides the protection, performance, and centralized visibility and control these extended network ecosystems demand.