12 questions to ask your next cloud computing provider

If you are interested in getting started with cloud computing – assembling a series of virtual servers for your enterprise applications that run offsite on a provider's data center – here are questions that might be useful as you proceed to evaluate different providers.

We use Amazon's Web Services, a hosted VMware provider called Terremark, and Cloudshare, where you can host up to three virtual servers completely for free, as examples to show you how the major providers can address each of these questions.

1. What types of remote connections are available to your cloud resources?

Getting your cloud-based servers set up with data and applications usually involves making some sort of remote connection to move content from your enterprise network or desktop to the virtual instance of your server. There are at least three different ways, and chances are you might need all three for doing different tasks, such as populating a database or Web server, managing your Windows server with the graphical Microsoft tools such as Server Manager, or running a virtual private network between your desktop and the cloud. So look at how your provider handles VPNs (some may use browser-based tools such as Cisco's AnyConnect VPN client), Remote Desktop Connection software from Microsoft, the Secure Shell (SSH) terminal session, or file transfer protocols (FTP) to remotely control and transfer information to your cloud-based server.

Cisco's AnyConnect VPN is one example of a browser-based VPN client that several cloud providers use.

2. Does your cloud provider have any ready-to-use OS templates for installing your servers, and if so, what specific versions are included?

With some providers, you must set up a new server from scratch and use the ISO or installation DVD and upload it across the Internet. With others, they come with pre-made barebones OS templates to get you started. If you need a specific 64-bit Windows server, or a different version of Linux than your provider has in mind, it is worth checking and see what is offered. We have included screenshots from some typical offerings.

Cloudshare has this nice rotating display showing its available server configuration templates.

Amazon has five quick start templates that include four different Linux servers and one Windows Server configuration. There are thousands more templates (what Amazon called Machine Images) that are more specific that have been created by the open source users of its service that are available to share.

Terremark has a long list of Linux and 32-bit and 64-bit Windows OSs to choose from.

3. Do you have to pay for a virtual PC instance and the resources it consumes whether it is running or not? Do you have to pay for the OS licensing on top of the resource charges too?

Yes, all cloud computing providers charge by the drink, by the glass, and by the bar stool if you want to continue the analogy. What this means is that just about anything and everything has an associated cost to it – the number of CPUs per server, the amount of RAM and disk storage, external IP addresses, software and OS licenses, network bandwidth, and so forth.

Amazon only charges for running instances of its servers: when you power them down, you save some cash. Cloudshare doesn't charge for its OS licenses, which is how they can get away with offering three free virtual servers for their free basic accounts. (You do have to access your environment at least once a month to keep the account active, however.)

With Verizon's CaaS, they charge you whether or not your servers are running or powered off, which can get pricey.

4. How easy it is to clone a new server in your cloud environment and what steps are involved to do so?

With most providers, it is relatively easy to clone a virtual server to use as the starting point for other servers, after all, that is what cloud computing is all about. It generally takes a few minutes and just a few clicks of the mouse to get a duplicate machine powered up.

For example, Cloudshare has an interesting twist on this, and allows you to share your entire environment with up to 100 friends, you just send them an email invite, which they have two days to accept and gain access to your virtual servers. You can also take snapshots of your entire environment – similar to the feature found in the desktop VMware Workstation – and revert back to the last snapshot if you run into trouble with something.

Finally, Cloudswitch.com sells a virtual appliance that can be used to move any virtual machine into either an Amazon or Terremark environment.

Cloudshare makes it easy for you to share your entire virtual environment with up to 100 others via an email link.

5. How do you add additional storage space to your server in a cloud environment, and are there any limitations on the size of the disk space added?

Generally, this is a relatively simple operation: you power down the virtual server and click on a few buttons to increase its disk storage or to attach a new disk drive to the machine. Some providers place limits on overall disk storage but allow you to add multiple disks to your server. If you are dealing with very large data sets it is worth checking what the specifics are here.

With Terremark, it is easy to add up to 500 GB of disk storage to any of your servers.

6. How much of your cloud infrastructure is redundant?

Most cloud providers offer to automatically protect your data by running independent and geographically distinct data centers, so that your infrastructure will remain running even if one of their data centers fails. But that isn't the same as knowing where your data is actually physically located and whether or not you can specify which data center you want to be located. It doesn't hurt to ask before you start using the service. Amazon, for example, has several distinct "zones" in North America, Asia and Europe where its servers are located. A user can specify the location of his virtual servers and design an environment to be protected in case of any failures. A more complete discussion of the various security decisions involved in using Amazon's Web Services can be found here.

Amazon has four different geographically distinct regional data centers that are used to serve up its cloud services.

7. When you do your cloud ROI calculation, do you include the cost of buying new servers every three years or so and your annual software maintenance and licensing contracts?

When you set out to justify your cloud computing decision financially, it is easy to forget that in the physical world you need to periodically replace servers and update their applications with new licenses, things that might be included in the price of your cloud computing bill. "A restaurant that I am working with has 120 Exchange mailboxes," says Jamie Barmach, the President of JEB and Co., a network and services consultancy based in Chandler, Ariz. "We got a three year break-even point for their move to Google Apps, and this doesn't include ongoing Exchange server and software maintenance and upgrades, too." That return on investment was what won his client over to the cloud.

8. Can you automatically provision new servers with your provider or must you manually intervene to spin up or down a server based on changing demands?

The CTO of Town and Country, Mo.-based cloud hosting provider Savvis Bryan Doerr talks about how automation can play a critical role in how secure a cloud can be. "We can automatically provision stuff quickly, but what we can't do is make decisions quickly. How long it will take me to add capacity to this app? How long to recognize a failure and respond? Now that we have all this infrastructure virtualized, and automated these changes, we need to automate the decision making too. We need to close the loop from sense to decision. Virtualization has freed us from manually patching cables and setting up racks of equipment. We have to make these decisions in advance, define them in terms of policy, and then express those in terms of guides for our provisioning systems. The trick is to figure out how to help customers get down the road." Products such as Racemi's DynaCenter and Novell's Platespin are just two of the many automation tools available for these sorts of
tasks.

Karen Rhodes, a senior sales engineer of Layered Technologies in Plano, Tex., says, "PlateSpin can be used to migrate any physical server to a variety of virtual environments including ESX, Xen Center, Sun and HyperV. You don't have to tie yourself to any one particular vendor and it is very robust and mature technology." Many of these technologies can also be used to convert virtual machines into physical ones, which are useful for debugging operating system issues.

Novell's Platespin series of tools can orchestrate bringing up new VM instances when workloads change.

9. How does your cloud provider keep track of failed server instances and how long does it take them to respond, fix, and notify you of this outage?

Some providers offer more in terms of monitoring of their virtual servers. For example, Amazon has its CloudWatch service that can monitor and report on particular events in your cloud environment such as CPU demand and network traffic.

For the most part, you are on your own to keep track of what your collection of virtual servers is doing. The Terremark service at least shows on its main portal page a history of all actions that you have recently taken in terms of powering up and down servers adding services and creating servers to your account. "Understand what kinds of support are possible in the cloud. If you are not monitoring the performance by your own staff, you may want your service provider to do that," says Savvis' Doerr.

Amazon's CloudWatch can tell you about resource usage, CPU demand and network traffic within your cloud environment.

10. Do you have a fast enough Internet pipeline to support your cloud-based applications?

Any cloud-based installation is going to be adding traffic across your Internet connection, so it is important to ensure that you have purchased enough bandwidth and it can handle the peak loads when your cloud applications will be sending data to your own network. It really isn't about the raw bits per second, whether you have a T-1 or an OC-3, but the actual latency that it takes your packets to transit the Internet to get from the cloud to your office network. For example, if you have lots of network hops, that adds latency to the connection and that means you are going to wait and wait while your browser opens up a server. Particularly if you are navigating full-screen hi-res desktop windows remotely, you could be watching a lot of screen refreshes and it could be painful or almost unusable to remotely control your cloud-based VMs.

Bottom line: You should instrument your Internet connection or have your provider ensure that you aren't running into any bottlenecks as you expand your cloud presence.

11. Are there any fine-grained access controls to your cloud resources, or does every user have access to all of the running virtual servers?

One place that the cloud vendors are still playing catch up to the mainframe computing world has to do with security policies and access controls. In many cases, access is an all-or-nothing proposition, meaning that once a user authenticates to the cloud, they have the freedom to do a lot of unintentional damage to start and stop a virtual server or make other mayhem inside the entire cloud environment.

Some cloud providers are better about this than others, and allow virtual networks within a particular environment or other means of segregated access for individual users. There are also third-party security tools, such as Hytrust's Appliance for VMware and Reflex Systems vTrust. Both of these allow more granularity so that users can run the applications on a virtual server but not reconfigure or turn off the server itself.

Hytrust's appliance allows you to set policy rules, so that individual users can't move, stop or otherwise alter a particular running VM.

12. Are your Web applications protected automatically by something the provider does or do you have to supply various firewalls and security appliances in the cloud yourself?

Certainly, the least secure aspect of any cloud deployment is in its Web applications and how they are connected to the rest of the cloud-based infrastructure. The challenge is being able to virtualize as many of your protective devices as you have for your on-premises servers, such as load balancers, intrusion prevention appliances, firewalls, and other gear. The major cloud providers are beginning to add these tools to their list of services so that IT developers can migrate their applications over to the cloud and still maintain the level of security that they have come to expect with the ones running inside their own data centers. Most of the cloud providers allow you to create your own firewall rule sets for your servers to protect them from inappropriate traffic. And there are companies such as Vyatta.com that specialize in providing virtual firewall protection to cloud-based resources.

For example, Amazon's cloud-based servers can't send spoofed network traffic, no matter which operating system they are running. The Amazon firewalls will only allow traffic using its own source IP or MAC network address, which is a nice safeguard.

VMware has only recently added a level of security to its vSphere line of products. Its vShield Zones product includes a hypervisor-based firewall to enforce network and port connections on each virtual server, and set up a full collection of policies and firewall rules within the virtual environment. Most cloud providers can set up firewall rule sets by port and protocol for each virtual server, as you can see in this screenshot for Terremark's service. But that only protects each virtual server from bad-behaving applications.

Terremark can set up specific security rules, similar to most firewalls, to enable or disable access to particular ports and protocols.

As you can see, there are many questions that you need to ask your cloud computing provider, and hopefully with these 12 you are off to a great start in your new virtual environment.