Hybrid Cloud Networking
Connect on-premises data centers to cloud environments securely and reliably. Covers VPN tunnels, Direct Connect/ExpressRoute, transit gateways, DNS resolution, and the patterns that enable seamless hybrid cloud connectivity.
Hybrid cloud networking connects your on-premises data center to one or more cloud providers. Whether you are migrating to the cloud, running a hybrid workload, or meeting data residency requirements, the network is the foundation. Get it wrong, and everything — latency, security, reliability — suffers.
Connectivity Options
Site-to-Site VPN:
Connection: Encrypted tunnel over public internet
Bandwidth: 1-2 Gbps (limited by internet)
Latency: Variable (internet routing)
Cost: Low ($$$)
Setup time: Hours
Best for: Dev/test, small workloads, initial setup
AWS: AWS Site-to-Site VPN
Azure: Azure VPN Gateway
GCP: Cloud VPN
Direct Connect / ExpressRoute:
Connection: Dedicated private circuit
Bandwidth: 1-100 Gbps
Latency: Consistent, low
Cost: High ($$$$$)
Setup time: Weeks to months
Best for: Production, large data transfers, latency-sensitive
AWS: AWS Direct Connect
Azure: Azure ExpressRoute
GCP: Cloud Interconnect
SD-WAN:
Connection: Software-defined overlay
Bandwidth: Aggregated across multiple links
Best for: Multi-site, dynamic routingArchitecture
┌──────────────────────┐
│ Cloud VPC │
│ 10.100.0.0/16 │
│ │
│ ┌──────────────┐ │
│ │ Transit │ │
│ │ Gateway │ │
│ └──────┬───────┘ │
│ │ │
└─────────┼────────────┘
│
┌───────────────┼───────────────┐
│ │ │
┌─────┴─────┐ ┌─────┴─────┐ ┌─────┴─────┐
│ VPN │ │ Direct │ │ Backup │
│ Tunnel │ │ Connect │ │ VPN │
│ (backup) │ │ (primary) │ │ (failover)│
└─────┬─────┘ └─────┬─────┘ └─────┬─────┘
│ │ │
└───────────────┼───────────────┘
│
┌─────────┴───────────┐
│ On-Premises DC │
│ 10.0.0.0/16 │
│ │
│ Customer Router │
└──────────────────────┘
Key design decisions:
☐ Non-overlapping CIDR ranges
☐ Redundant connections (active/passive or active/active)
☐ Hub-and-spoke vs full mesh
☐ DNS resolution across environments
☐ Routing priority and failoverDNS in Hybrid Cloud
Challenge: Services in cloud need to resolve on-prem DNS
Services on-prem need to resolve cloud DNS
Solution: DNS Forwarding
Cloud DNS → Conditional forwarder → On-prem DNS
*.internal.company.com → Forward to on-prem DNS (10.0.0.53)
On-prem DNS → Conditional forwarder → Cloud DNS
*.cloud.company.internal → Forward to cloud DNS (10.100.0.2)
AWS Implementation:
Route 53 Resolver:
Inbound endpoint: On-prem queries cloud DNS
Outbound endpoint: Cloud queries on-prem DNS
Rules: Forward *.onprem.company.com to 10.0.0.53Anti-Patterns
| Anti-Pattern | Consequence | Fix |
|---|---|---|
| Overlapping CIDRs | Routing conflicts, unreachable services | Plan address spaces before connecting |
| Single VPN tunnel | Single point of failure | Redundant tunnels or Direct Connect + VPN |
| No bandwidth planning | Congestion, slow data transfers | Baseline traffic, size connections |
| Asymmetric routing | Packets take different paths, firewalls block | Consistent routing tables both sides |
| No monitoring | Silent failures, latency spikes ignored | Network monitoring for latency, packet loss, throughput |
Hybrid cloud networking is the invisible foundation that makes hybrid architecture possible. When it works, nobody notices. When it fails, everything breaks.
