9 hours 29 minutes

Video Transcription

this video will learn about hybrid cloud design and bastion networks, and we'll also talk about how the shared responsibilities model applies to Cloud Network security.
Module one We looked at the hybrid cloud model. This is the blend between the on premise traditional data center and either a public, private or community cloud.
Looking at the diagram. Imagine each of those blue boxes at the top is a different cloud provider, and you want to build a link into your data center.
The goal is to support arbitrary network addressing that seamlessly extends into the cloud user network. If the cloud networks and on Prem used the same i p address range, this won't work.
At the same time, you don't want to create a flat network between the two environments.
Enter stage the bastion or transit network approach. This approach provides a method to connect on prime with cloud networks through a dedicated virtual network,
a different cloud accounts come through the bastion network and aren't directly peered with the data center.
You can deploy security tools for more extensive rule enforcement and monitoring of the traffic flow from on Prem to the cloud
or even from one cloud to the other cloud.
This is another application of network segmentation to limit the blast radius in case of a breach. When implementing AH hybrid cloud directly peering the cloud and data center is highly discouraged. Practice. You should only use this as a last resort. Keep in mind a security chain is only as strong as its weakest link.
So if you have the direct peering model and there's a laptop that gets compromised,
that laptop could then begin scanning your local network and reach out into the cloud network as well, and potentially compromise those resources to before wrapping up our examination of network security in the cloud. Let's take a moment to summarize key aspects of the consumer provider. Shared responsibility model.
The consumer is responsible for properly designing their virtual networks,
applying strategies like segmenting connecting to bastion networks and micro segmentation. A good design is a great starting point, but the consumers also responsible for implementing security controls within those virtual networks. This ensures that design is realized.
It's also important to secure the management plane. Keep in mind that the ESPN and security roles are defined through management planes, so if somebody gets access to that management plane. They can throw your design and policies out the window and rebuild the network. However they see fit.
Let's not forget about the providers role in this. They need to secure the underlying network. This is ensuring tenant isolation, and it's critical to maintain segregation and isolation in a multi tenant environment where you could have hostile tenants. The provider also needs to give security controls to the consumer. This allows them to secure the management plane
and implement controls that work natively with the providers, STN implementation
and finally, perimeter security to protect and minimize impact on workloads. This is more traditional network security outlook to ensure that the network infrastructure infrastructure, which the STN runs on top of, isn't vulnerable to attacks from the outside world.
In this video, we talked about a way to more securely design your hybrid cloud by incorporating bastion networks. We also reviewed the shared responsibilities between provider and consumer. When it comes to cloud network security

Up Next


This course prepares you to take the CCSK certification by covering material included in the exam. It explains how the exam can be taken and how CCSK certification process works.

Instructed By

Instructor Profile Image
James Leone
Cloud, IoT & DevSecOps at Abbott