Defining the Virtual Private Cloud (VPC)

30 August 2009 Posted by Paul Burns

While the idea of a virtual private cloud is not new, there is yet to emerge a single consistent definition. In fact, some would say that cloud computing at large suffers from this same problem.

There is no doubt that a lot of discussion has taken place with respect to defining cloud computing. However, the National Institute of Standards (NIST) has offered a solid and improving definition here. It includes the related cloud service models (IaaS, PaaS and SaaS) and deployment models (Private, Community, Public, Hybrid). The NIST definition also has the advantage of coming from an independent standards body. This appears to be helping it gain traction across the industry.

Unfortunately the NIST definition does not yet address virtual private clouds. Yet, just last week, two companies announced virtual private cloud services. Amazon, with its Amazon VPC, was first to go public with a discussion of their offerings. OpSource, with its OpSource Cloud™, followed by just a couple days.

Without a common definition of VPC, it has been difficult for individuals in the industry to consistently assess these new offerings. For instance, do either of them really meet the definition of VPC? (Hmm… what definition?) Or are the vendors simply using marketing terminology in an attempt to differentiate their new wares?

The key recommendation from this blog post is for NIST to add virtual private cloud to its cloud computing definition. A definition from NIST will be helpful in developing a consistent view of virtual private clouds. At the same time it needs to leave room for technology advances and innovation that is forthcoming. I propose draft text below in all bold which defines virtual private cloud as a new NIST deployment model. This text has also been submitted to NIST to be considered for use in a future version of its cloud computing definition.

NIST Deployment Models:

Private cloud. (existing) The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.

Community cloud. (existing) The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.

Public cloud. (existing) The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Virtual private cloud. (proposed) The cloud infrastructure is operated solely for an organization, and is a subset of a larger cloud infrastructure which may be private, community or public. The virtual private cloud is virtually partitioned, rather than completely physically separated, from the larger cloud.

Hybrid cloud. (existing) The cloud infrastructure is a composition of two or more clouds (private, community, public, or virtual private) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting).

Note that the Amazon and Opsource solutions both fit within this proposed definition of virtual private cloud. They both do this by emphasizing VPNs as the mechanism for the virtual partitioning. Also note that the definition above leaves plenty of room as to how exactly the virtual partitioning is implemented.

Beyond VPNs, other technologies VLANs and / or other virtualization capabilities could be used to implement a VPC. For example, Neovise expects cloud platform software in the future (perhaps optionally and more expensively) to ensure VMs from different VPCs do not run on the same physical server. There would still be a single shared cloud infrastructure, but with VMs from different organizations not allowed to coexist on the same servers.

The main idea of this VPC definition is really that the VPC is not completely physically separated from the larger cloud and some physical infrastructure sharing remains. If the infrastructure was completely physically separated, it would simply be called a private cloud (whether internally or externally hosted).

Neovise also expects the emergence of a spectrum of “privacy” for VPCs. Some of this will relate to the level of physical separation and some will relate to the strength of the approaches to virtual partitioning. Future VPC services will likely employ different combinations of partitioning approaches to achieve the desired level of privacy, security and control.

Recent blog posts


Leave a Reply

Your email address will not be published.