Table of Contents
Cloud networking software enables data transmission within and between clouds by deploying and orchestrating virtual networking functions. Cloud networking is entirely software driven, with each virtual function playing a role in defining how various cloud entities communicate at a logical level, and enabling connectivity between different data centers and cloud providers.
Cloud networking solutions use the native networking capabilities from each cloud provider, orchestrating them from a central management solution. Additionally, cloud networking vendors can provide specialized functions such as gateways, exchange points, or routers with more features compared to the native counterparts offered by the cloud providers.
With these capabilities, cloud networking vendors address everyday networking-specific challenges—such as network design, deployment, management, and security—but with a cloud twist. Network segmentation now must span multiple distributed environments, monitoring and observability tools will have larger and more complex networks to understand, optimization should include cloud-to-cloud intelligence, and even routing brings in new networking functions such as transit gateways.
The best way of addressing all these challenges is to abstract all networking constructs and present them in a single orchestration solution that can handle multiple types of infrastructure and provisioning of networking instances with minimal configuration. This consolidated view changes the cloud networking experience from an overwhelming problem to a much more casual activity. Connecting another public cloud environment should feel like just another instance to connect rather than a whole architecture overhaul.
At this higher level of abstraction, service-to-service connectivity and content-aware traffic processing are two of the most important use cases that cloud networking solutions need to address. Rather than having the networks team handle constructs at Layers 3 and 4, a cloud networking solution can automatically provision Layer 3 and 4 instances, allowing the DevOps teams to work exclusively at Layer 7 and focus on content-aware, service-to-service connectivity.
With this type of capability at the development teams’ fingertips, applications are no longer bound to a single region or provider, and use cases can expand to multicloud, hybrid cloud, and edge locations. Cloud networking also reduces the amount of vendor-specific knowledge required to interconnect environments by offering a unified and consistent management interface. Rather than adopting an unsophisticated “connecting multiple environments” approach, we can reframe cloud networking as one of the core enablers of developing and maintaining cutting-edge applications using all the available types of infrastructure.
This GigaOm Radar report highlights key cloud networking vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Cloud Networking Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.
2. Architecture Models and Deployment
To better understand the market and vendor positioning, we assess how well these cloud networking solutions can support different cloud architecture models (Table 1) and deployment models for network appliances and management platforms (Table 2).
For this report, we recognize the following five architecture models.
- Cloud as enterprise network backbone: Cloud networking solutions can connect different branch offices or locations without traversing the public internet by leveraging services such as direct-connects or express routes. This approach can lower the branch-to-branch connectivity cost because all communication is conducted via cloud environments using private backbones.
- Multicloud networking (multiple public clouds): These solutions support communications across multiple public clouds, including leading vendors such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. The solution can help users to interconnect these platforms seamlessly and provide end-to-end visibility. Pure multicloud environments are typically found in light and agile companies, such as start-ups or scale-ups.
- Hybrid cloud networking (different types of clouds): This refers to cloud implementations that include multiple models, mixing and matching among on-premises infrastructure, colocation environments, managed hosting, private clouds, and public clouds. These architectures are typically found in large enterprises with legacy equipment that undergo cloud migration projects.
- Edge networking: As an emerging area, edge networking refers to the resources located at the topological edge of the network. With distributed locations, edge infrastructure needs to be managed as a single construct in terms of networking while also considering the different services that edge points may be running based on their location. To ensure service consistency, edge and core cloud computing infrastructure should be configured and treated as a unified networking construct.
- Container networking: Due to its ephemeral nature, container networking is a challenge that’s different from other types of compute infrastructure. Containers can be deployed in any kind of computing environment (physical or virtual), and the challenge is to enable them to communicate in the same pod or between pods hosted on the same infrastructure. Containers are supported in three ways: 1) a container networking interface (CNI) handles communications inside and across pods; 2) an ingress controller handles connectivity to outside resources; and 3) the service mesh manages service-to-service communications.
Table 1. Vendor Positioning: Architecture Models
|Cloud-as-Enterprise Network Backbone||Multicloud Networking||Hybrid Cloud Networking||Edge Networking||Container Networking|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
For the cloud networking sector, we recognize the following deployment models for networking appliances and management platforms.
For networking appliances:
- Physical appliance: These are integrated hardware appliances such as routers. They can be deployed on customer premises or in colocation environments to support connectivity to cloud resources.
- Virtual appliance: These are images that run within virtual machines (VMs) or containerized environments.
- Public cloud image: These are used to provision appliances directly from a public cloud provider marketplace, and they run within the cloud environment.
- Software: These appliances can be installed and run from any compatible operating system.
- SaaS: The functionality of the appliance is delivered as a service, deployed and managed by the cloud networking vendor.
For management platforms:
- Physical appliance: The platform can be run on dedicated hardware provided by the vendor.
- Virtual appliance: The platform can be run from a VM or container.
- Public cloud image: The platform is available from public cloud marketplaces and runs within the public cloud environment.
- Software: The platform can be installed on top of compatible operating systems.
- SaaS: The platform is delivered via a web portal, and is deployed and managed by the vendor.loyed and managed by the vendor.
Table 2. Vendor Positioning: Deployment Model for Networking Appliances and Management Platform
|Physical Appliance||Virtual Appliance||Public Cloud Image||Software||SaaS||Physical Appliance||Virtual Appliance||Public Cloud Image||Software||SaaS|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
3. Key Criteria Comparison
Building on the findings from the GigaOm report, “Key Criteria for Evaluating Cloud Networking Solutions,” Table 3 summarizes how each vendor included in this research performs in the areas we consider differentiating and critical in this sector. Table 4 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization.
The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.
Table 3. Key Criteria Comparison
|Secure Traffic & Segmentation||Observability||Troubleshooting & Diagnostics||Optimization & Autoscaling||Declarative & Intent-Based Networking||Service-to-Service Connectivity||Content-Aware Traffic Processing||Solution Management|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
Table 4. Evaluation Metrics Comparison
|Partner Ecosystem||Pricing, TCO & ROI||E2E Networking||Performance Assurance||Ease of Use||DevOps Suitability|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.
4. GigaOm Radar
This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.
The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for Cloud Networking
As you can see in the Radar chart in Figure 1, most vendors are positioned in the Platform Play half of the graphic, with a few exceptions.
Cloudify and Cohesive Networks fall in the Maturity/Feature Play quadrant, with Cloudify offering a DevOps-focused solution highly devoted to networking, and Cohesive Network’s main solution concentrating on network virtualization and topology control.
Prosimo’s initial Layer-7 approach placed it into the Innovation/Feature Play quadrant, though it’s moving quickly toward the Platform Play side as the vendor introduces Layer 3 and 4 capabilities. Isovalent’s Cilium shares the same quadrant, having expanded its initial container networking scope to hybrid and multicloud use cases.
The usual household names in networking—Arista, Cisco, Juniper, and VMware—are positioned in the Maturity/Platform Play quadrant. All these players have comprehensive networking portfolios and have expanded their existing products to include cloud networking capabilities.
Newer entrants in the space that focus specifically on cloud and multicloud networking are found in the Innovation/Platform Play quadrant. All of these vendors—Alkira, Arrcus, Aviatrix, and F5—deliver cloud networking capabilities from unique positions, which we will explore in the next section.
Inside the GigaOm Radar
The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.
The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.
The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.
Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.
5. Vendor Insights
Alkira delivers a cloud network as a service (NaaS) platform with on-premises, hybrid, and multicloud connectivity, integrated security services, and monitoring and governance capabilities. At the core of the Alkira solution is the Alkira Cloud Services Exchange (CSX), which consists of a cloud backbone of globally interconnected Alkira Cloud Exchange Points (CXPs), virtual multicloud points of presence (PoPs) powered by a full routing stack, and network services. CXPs deliver symmetric traffic steering for stateful network services and optimal routing to the cloud with no data center backhaul, and it can establish a global backbone network connecting multiple public clouds.
The Alkira CSX Portal offers a comprehensive graphical interface for design, provisioning, and Day 2 activities. It enables organizations to insert network services, such as stateful firewalls, into the Alkira CSX and leverage Alkira intent-based policies to steer the desired traffic between single or multicloud environments to the auto-scalable network services nodes.
Alkira CSX automatically discovers public cloud instances based on the cloud credentials provided by the administrator. Upon discovery, users can select which cloud instances need to be connected to the Alkira CSX, and the solution provisions the network. Afterward, the CSX automatically distributes the required network reachability, so all public cloud instances can begin communicating with each other. The solution also enables connectivity by using a similar process for home offices, branches, campuses, data centers, and colocation facilities. Alkira’s application programming interface (API) and integration with infrastructure as code (IaC) tools such as Terraform enable DevOps-friendly network automation.
Alkira CSX offers network segmentation capabilities that allow grouping of remote users, on-premises sites, public cloud instances, network services, and internet exit points into specific network connectivity segments. These capabilities apply equally to single cloud and multicloud environments. Alkira also offers selective cross-segment communication with firewall service insertion to support various shared application services use cases related to mergers, acquisitions, divestitures, and partner network connectivity. Furthermore, Alkira’s microsegmentation capabilities allow subdividing segments even further for even more granular security policy controls.
Strengths: Besides its strong capabilities for secure traffic and segmentation, observability, optimization and autoscaling, and solution management, Alkira’s fully as-a-service deployment model for both the networking appliances and management platform differentiates it from other vendors in this report.
Challenges: Alkira’s as-a-service delivery model may not be suitable for enterprises that require the level of control offered by physical, virtual, or software appliances. The same applies for deployment model requirements for the management platform.
Arista delivers a cloud networking solution via its Cloud Extensible Operating System (CloudEOS) and CloudVision. CloudEOS is Arista’s multicloud and cloud-native networking operating system that enables a secure and reliable networking experience. To provide a scalable and automated network experience, CloudEOS integrates with Arista CloudVision, a multidomain network management solution built on the principles of telemetry, analytics, and automation.
CloudVision provides a consistent operational model across domains to simplify network operations with a single orchestration tool. It has integrated machine learning (ML) technologies that can help with use cases such as alert definitions, based on dynamically learned deviations from a reachability or latency baseline, as well as monitoring resource utilization trends and associated telemetry to make predictive assessments.
Arista can enable multicloud path optimization using dynamic path selection based on changing network conditions, prioritizing production traffic over non-critical traffic and control over networking policies. To achieve this optimization, CloudEOS instances auto-discover the available paths to the others and automatically establish IPsec-based data plane encryption. For optimized forwarding and dynamic path selection (DPS), CloudEOS measures delay, latency, loss, and bandwidth for each potential path, and then applies this data in real-time to determine which path to use.
CloudEOS integrates with tools such as Terraform, Ansible, Puppet, and Chef and supports streaming receiver solutions like the ELK stack and Prometheus. This integration and support enable CloudEOS users to declaratively provision and configure public cloud environments.
For observability, CloudVision’s multicloud dashboard allows customers to monitor cloud constructs like AWS VPCs, transit gateways, Azure VNets, and network performance metrics such as latency, jitter, packet loss, and bandwidth between and across multiple cloud providers. In CloudVision’s topology view, customers can visualize the cloud deployments to understand how networks are interconnected, what segment specific resources belong to, and what traffic is transiting the network.
Arista does not offer Layer 7 functions, such as content-aware load balancers, as part of its cloud networking solutions. Similarly, the vendor does not facilitate service-to-service communication or a visual drag-and-drop network builder.
Strengths: Artista offers a comprehensive cloud networking solution that differentiates itself from others with its ML-based troubleshooting capabilities. It also has a strong focus on network optimization and operations.
Challenges: Arista could improve its cloud networking capabilities by providing a drag-and-drop network builder and additional application-aware and Layer 7 functions.
The Arrcus flexible multicloud networking (FlexMCN) solution delivers a scalable edge, hybrid, and multicloud network overlay that helps enterprises and telcos extend their on-premises data center network fabric to the edge and multicloud. FlexMCN supports multitenancy with role-based access control (RBAC), allowing cloud service providers (CSPs), colocation providers, and telcos to offer multicloud connectivity as a managed service.
FlexMCN is composed of ArcOS, ArcOrchestrator, and ArcEdge, all complemented by ArcIQ. ArcOS is a microservices-based network operating system that can handle cloud workloads, offering a multiprocess, multithreaded architectural design that enables independent scheduling of processes, convergence, and high scalability. ArcOS also powers ArcEdge, which is the secure control and data plane element of FlexMCN. ArcOrchestrator is the software-defined networking (SDN) controller to deploy ArcEdge overlay fabric across customers cloud virtual networks and their data centers.
ArcOrchestrator and ArcEdge can be deployed ubiquitously–on-premises, via private or public clouds (including AWS and Azure), or at a co-location provider. ArcEdge can also be deployed as a VM or a Docker container in on-premises or cloud environments.
ArcIQ is a deep visibility analytics platform offering predictive analytics and actionable insights, which provides network-wide visibility over network traffic, including the cryptographic RPKI based Route Origin Validation (ROV) that prevents malicious routes from being injected in the customer’s network. Users can configure network traffic thresholds and alerts so that the network operations teams receive notifications in near real time. Further, ArcIQ can be integrated easily with third-party tools, such as PagerDuty and ServiceNow.
Arrcus’ cloud networking solution enables enterprises to connect multiple clouds and on-premises resources using a graphical user interface (GUI), a command-line interface (CLI), and an open API, scoring well on the solution management key criterion.
The FlexMCN solution supports Terraform and Ansible integrations and offers a complete Rest API framework. ArcOrchestrator integrates with a Kubernetes orchestration solution as a controller to deploy and manage ArcEdge in the cloud and on-premises. Users can leverage the common templates to provision changes across all network layers, from routing updates to network access policy and application connectivity.
The vendor ranks lower on application-aware infrastructure, as the solution is not currently supporting Layer 7 load balancers or offering application-to-application connectivity across environments.
Strengths: Arrcus enables cloud networking across different environments with an intuitive GUI and by integrating with IaC tools for automated network provisioning.
Challenges: Arrcus’ offerings could be improved by adding application-aware features, such as application discovery, app-to-app connectivity, and content-aware load balancing.
Aviatrix is a household name in the multicloud networking space, with a comprehensive solution that ranks high on various criteria described in this report, including secure traffic and segmentation, observability, optimization and autoscaling, and solution management. With this platform, organizations can leverage a consistent deployment and operating model across enterprise multicloud networks, eliminating the need to use tools and services specific to individual CSPs.
For observability, Aviatrix offers CoPilot, a cloud monitoring solution that provides a global operational view of multicloud networks. CoPilot has comprehensive capabilities that support Day 2 activities for the NetOps and DevOps teams, with features such as dynamic topology mapping, analysis of global network traffic flows using FlowIQ, and global heat maps and time series trend charts that can help pinpoint and troubleshoot traffic anomalies. Aviatrix CoPilot also provides visibility into security services, offering end-to-end features such as resource tagging, resource clustering, infrastructure monitoring, and alerting, all purpose-built for multicloud operations.
The Aviatrix Centralized Controller is the main interface for the solution, a browser-based GUI that provides a visual method for configuring and deploying cloud-native networking constructs and advanced services from Aviatrix across multiple clouds.
The solution is integrated with Terraform, enabling network and security IaC automation across a multicloud environment. A key feature of Aviatrix’s integration with Terraform is its ability to export existing configurations as a populated Terraform file, giving the DevOps and NetOps teams the best of both worlds: a visual builder and code-based scalability. Aviatrix further supports DevOps processes using change and revision control by providing fully documented REST APIs.
For security, Aviatrix supports multicloud segmentation, which extends secure network segmentation beyond cloud boundaries, enabling multicloud security domains with consistent, centrally managed global network segmentation and connection policies. Moreover, the solution also enables customers to centrally manage and define security intent using security services and techniques such as distributed firewalling, microsegmentation, threat detection, and distributed egress filtering.
Aviatrix Gateways are an advanced networking and security service. They can be deployed to deliver transit network and security services such as intelligent dynamic routing, active-active network configurations, end-to-end and high-performance encryption, and the collection of operational visibility data. Aviatrix Gateways can also be deployed to provide distributed filtering services or to replace native-cloud provider network address translation (NAT) gateways.
Strengths: Aviatrix offers strong multicloud networking and security capabilities that enable enterprises to design, configure, and operate cloud networks easily across multiple environments.
Challenges: While Aviatrix supports Layer 7 security services such as intrusion detection and prevention services (IDS and IPS), the solution does not currently offer Layer 7 traffic routing and policy definitions.
Cisco’s networking solutions are present in almost all networks, so it is unsurprising that the vendor would expand its capabilities to cloud networking. Cisco can deliver multicloud and hybrid cloud connectivity as follows:
- For multicloud networking, Cisco offers a tightly integrated solution made up of Cisco Cloud Network Controller (previously Cisco Cloud APIC), Cisco Nexus Dashboard Orchestrator, and Cisco Catalyst 8000v.
- For hybrid cloud connectivity, Cisco provides on-premises switching, network policy, and configuration using Cisco Nexus 9000 Series Leaf and Spine switches, Application Policy Infrastructure Controller (APIC), and Nexus Dashboard Fabric Controller (NDFC).
For cloud networking configuration, CIsco’s Cloud Network Controller (CCNC) solution can capture intents and translate them into native policy constructs for applications deployed across various cloud environments. It translates policies into cloud-native constructs using public APIs to create a single, consistent policy abstraction across multiple on-premises and public cloud instances.
The Cisco Cloud Network controller along with the Cisco Nexus Dashboard Orchestrator provide, among other functionalities, automated connectivity for multicloud network environments, operational visibility, Layer 4 to Layer 7 service integration and traffic redirection, consistent security and segmentation on on-premises-to-cloud or cloud-to-cloud networks, and business continuity and disaster recovery.
For service-to-service connectivity, the solution can define the application tiers and provide rules to classify application workloads into various policy groups. Based on the configured policy, the solution automates the connectivity by configuring the necessary route tables and security group rules for application workloads to be able to communicate with each other.
Cisco AppDynamics operates at Layer 7 to discover and map application topology and application performance. Cisco Nexus Dashboard integrates with AppDynamics to map the application and network performance parameters for a holistic view of the networks and applications and to lower the mean time to innocence (MTTI).
Strengths: Cisco’s solutions rank high on key criteria such as secure traffic and segmentation, network optimization and autoscaling, along with APIs and integration with IaC tools.
Challenges: At the time of writing, troubleshooting and diagnostics capabilities are available only for on-premises and colocation deployments, not spanning to hybrid and multicloud. The latter are part of Cisco’s roadmap, however.
Cloudify (acquired by Dell Technologies)
Acquired by Dell Technologies in early 2023, Cloudify’s cloud networking solution enables enterprises to design cloud-native environments or transition to public clouds with the help of automation and DevOps-friendly features. The Cloudify solution consists of a core engine responsible for the lifecycle management of applications and network services, and plug-ins, providing integration points for components such as cloud infrastructure resource units or network monitoring modules.
Cloudify’s end-to-end modular orchestration platform simplifies the automation of complex systems by abstracting applications and networks from the underlying infrastructure. Cloudify can map the desired state into a set of tasks that will allocate the right set of resources needed to fulfill application demands and deliver the best-in-network automation solutions.
The solution ranks high on APIs and IaC integrations, solution management, and DevOps support by allowing users to manage different orchestration and automation domains as part of one common CI/CD pipeline. It provides built-in integration with automation solutions such as Terraform, Ansible, Kubernetes, AWS Cloud Formation, and Azure ARM, while offering real-time code validation and a comprehensive REST API. Users can abstract existing VMware or OpenStack infrastructure with declarative modeling.
Cloudify offers a mature orchestration solution, allowing the operations teams to use a canvas-based visual editor and drag-and-drop service composition, leveraging shared resources and components. The solution can track task executions visually and monitor the progress and status of each execution step. The solution includes support for secret stores, encryptions of all internal communication channels, multitenancy, and RBACs.
Cloudify networking solutions enable automated provisioning and management of environments across single cloud, multicloud, hybrid cloud, edge locations, and containers.
Catering to DevOps teams with deep integrations, the Cloudify solution does not offer capabilities around secure traffic and segmentation, such as microsegmentation, or around optimization and autoscaling, such as Layer 7 load balancing. For observability, the solution supports monitoring tasks on the solution but does not offer visibility into network or application performance.
Strengths: Cloudify excels at packaging cloud networking solutions for DevOps teams with deep integrations and a powerful management solution. The vendor also has a strong focus on edge networking, in addition to multicloud and hybrid cloud models.
Challenges: The biggest shortcoming of Cloudify’s solution is its lack of support for secure traffic and segmentation. In addition, the solution could improve its services with application-aware features such as app-to-app connectivity, Layer 7 services, and more comprehensive Day 2 operation activities.
Cohesive Networks’ VNS3 Network Platform is used to build a network overlay to, through, and across an organization’s cloud infrastructure—integrating with their data centers, carriers, and customers.
VNS3 is an API-driven cloud controller that allows users to define network topology and secure data across public and private clouds. VNS3 is a virtual router, switch, firewall, protocol re-distributor, and secure-sockets layer (SSL)/IPSec virtual private network (VPN) concentrator. The network virtualization software creates a customer-controlled overlay network on top of the underlying network backbone.
Each customer gets a fully isolated and encrypted compute subnet. The VNS3 controllers are connected to VNS3:ms, a management console used for alerting, backups, admin access management, and visibility into the network. VNS3:ms enables administrators to control their network’s connectivity, security, and admin controls. With VNS3:ms administrators have full visibility into the network topology and the ability to manage and automate backups and to architect for high availability.
VNS3:ms stitches together all the component identification information surfaced by the cloud provider into a single page, providing details such as addresses, routes, and access control lists (ACL) and security group rules for the virtual local area network (VLAN) and the instance running in the VLAN. Once a controller has been added to a VNS3 topology that is part of a virtual network, clients will have visibility over infrastructure health, network topology, controller configurations, peering information, client status, local IPsec tunnels, route tables, and high-availability configurations.
VNS3 offers Terraform or Cloudformation templates, as well as an API to configure the network using your language of choice. Moreover, VNS3 also operates as a network edge plug-in, running any containerized function in path, allowing full customization of network edges. This functionality can support use cases such as edge-hosted intrusion detection, load balancing, and monitoring.
Strengths: VNS3 is a mature solution with great capabilities for edge networking, offering customers virtualized topology management features.
Challenges: VNS3’s capabilities are limited when it comes to troubleshooting and diagnostics, service-to-service connectivity, and content-aware traffic processing.
Following F5’s 2021 acquisition of Volterra, Volterra’s cloud networking solution became part of F5 Distributed Cloud Services, which delivers a comprehensive cloud networking solution via Distributed Cloud Network Connect and Distributed Cloud App Connect. What differentiates F5 from other product-based entrants in the cloud networking space is its global private fiber network backbone and comprehensive set of networking functions, which allow the vendor full control over the performance and delivery of services without dependencies on third parties. F5’s cloud networking solutions provide integrated services from Layer 3 all the way to Layer 7.
Distributed Cloud Network Connect and App Connect rank high on the secure traffic and segmentation key criterion. At ingress, inbound traffic is secured with native distributed denial of service (DDoS) protection, Layer 4 and Layer 7 firewalls, and API protection before the load balancer for each service at Layer 3, Layer 4, or Layer 7 forwards the request. In the workload, microsegmentation policies are either applied automatically via native Kubernetes service discovery, or manually configured for each load balancer service at the origin.
Observability is available at multiple levels of information density, from global site interconnections down to individual flows per microservice, per app. Application endpoints and structure are detected automatically and are displayed on a topological map showing endpoints, interconnections, microservice response times, and API request call stacks through microservices. Application topology is provided by API discovery to map connections among nodes inside the service mesh, including health stats per microservice.
For troubleshooting and diagnostics, F5 Distributed Cloud Services can set up alerts to be triggered by metrics and time series anomaly detection. Anomaly detection for each application uses a baseline of request rate, error rate, latency, and throughput (RELT) to detect spikes or drops, seasonality patterns, and variation from learned seasonality patterns. Network issues can be reduced using redundant connections from every Distributed Cloud Mesh site to the distributed control plane and other Distributed Cloud Mesh sites, which enables self-healing.
The vendor ranks high on the optimization and autoscaling key criterion. Distributed Cloud Mesh performs Layer 7 load balancing for HTTPS as an ingress/egress controller and for REST APIs as an API gateway. Distributed Cloud Mesh nodes are provisioned automatically and installed on a public cloud, deployed as VMs on a private cloud and data center, or installed as industrial-grade off-the-shelf hardware for edge.
Strengths: F5 ranks high on most metrics defined in the report, offering a comprehensive cloud networking solution suitable for all the architecture models defined.
Challenges: F5 could improve its user experience further by providing a drag-and-drop service builder for a more intuitive network and security configuration process.
Isovalent Cilium Enterprise is an enterprise distribution of the Cilium open source project, which was initially created by Isovalent and later donated to the Cloud Native Computing Foundation (CNCF). Cilium provides networking, security, and observability for cloud-native environments such as Kubernetes and multicloud networking architectures. It can run natively in any Kubernetes environment, operate as a virtual appliance in the form of a transit gateway, or run in the form of an agent on VMs and servers. Connectivity is provided at both the networking (Layer 3 to Layer 4) and service mesh level (Layer 7).
The solution can establish connectivity between applications, containers, Kubernetes pods, VMs, and bare metal servers using an embedded agent or network transit gateway. Isovalent Cilium Enterprise offers Layer 7 load-balancing and extensive service mesh capabilities. The solution has full Layer 7 observability and can provide service and connectivity maps based on information composed at Layers 3 through 7.
Cilium can provide identity-based segmentation across public cloud, on-premises, or Kubernetes environments regardless of whether networks are logically connected. Cilium’s network policy enforcement engine implements segmentation and microsegmentation by natively understanding public cloud provider concepts such as security groups and Kubernetes metadata. The policy enforcement layer is able to operate at Layer 3 to Layer 7 and enforces a strong security identity-based layer with optional support for mTLS-based mutual authentication.
For troubleshooting and diagnostics, Isovalent Cilium Enterprise detects a wide range of network degradation events including drops, policy violations, retransmissions, network latency measurements, transmission control protocol (TCP) zero-window events, continuous data delivery to application monitoring, detection of TCP timeouts, identification of routing loops, and domain name system (DNS) failures. The solution can detect various known traffic anomalies such as routing loops, maximum transmission unit (MTU) issues, mismatched encryption keys, and repeated DNS resolution failures. Failures are automatically recovered from by recreating data path functionality, automatic leader reelection of control plane components, and high availability of egress and DNS proxies and gateways.
The solution ranks high on the DevOps suitability evaluation metric, due to integrations with IaC tools such as GitOps, Terraform, and Ansible. CI/CD integrations are typically used to define load-balancing, network policy, and egress gateway needs. All routing and networking intent can be defined via YAML or JSON and can be automatically generated or maintained via a CI/CD pipeline. All configuration aspects of Cilium, such as load-balancing, network-policy, mesh connectivity, egress policies, and virtual routing and forwarding (VRF) configuration are declarative and intent-based.
Strengths: Isovalent’s Cilium Enterprise has an extensive feature set, ranking high on a variety of key criteria, including secure traffic and segmentation, observability, troubleshooting and diagnostics, declarative and intent-based networking (IBN), and service-to-service connectivity.
Challenges: Isovalent’s cloud networking solution could be further improved by developing interactive network interfaces such as drag-and-drop builders. The solution should also expand its capabilities by offering cloud-as-enterprise network backbone architecture models.
A household name in the networking space, Juniper delivers cloud networking capabilities through the newly released Cloud-Native Contrail Networking (CN2), which ranks high on secure traffic and segmentation, observability, and optimization. CN2 is a cloud-native SDN solution that automates the creation and management of virtualized networks to connect, isolate, and secure cloud workloads and services seamlessly across private and public clouds.
CN2 also offers equal-cost multipath (ECMP) load balancing built into the vRouter’s forwarding plane, distributing traffic across endpoints such as virtualized firewalls. In addition, the solution also provides an application-layer load-balancing function for content-aware traffic optimization.
CN2 features a cloud-native analytics stack to automate network design, deployment, monitoring, management, and security from a single point of operations. The portal supports RBAC, giving network administrators full access to the tools and resources needed to design, deploy, manage, and monitor network services while providing limited access to other users.
With optional and configurable analytics for monitoring and troubleshooting, CN2 provides enhanced observability with plug-and-play usability for some of the most popular open-source projects like Prometheus, InfluxDB, Grafana, FluentD, and ElasticStack for ease of use, platform flexibility, and low cost.
Juniper ranks high on secure traffic and segmentation. The vRouter forwarding plane brings high performance routing and microsegmentation into the server. There are several different isolation models including network policies, custom pod networks, and isolated namespaces. The vRouter has built-in distributed Layer 3 and 4 firewall capabilities that allow users to define simple and abstract security policies between virtual networks, as well as next-generation firewalls (NGFWs) for Layer 7 traffic filtering.
Strengths: Juniper’s Contrail products offer a mature cloud networking solution that delivers good capabilities for secure traffic and segmentation, observability, and network optimization.
Challenges: Juniper could improve its products further by offering a drag-and-drop network builder and application-oriented features such as app discovery and connectivity.
Founded in 2019, Prosimo offers a full-stack cloud networking solution that fulfills multiple use cases. These include interconnectivity of virtual networking constructs, applications, and services, network segmentation and access controls, ML-driven observability, and NetDevOps workflows that reduce operational efforts for deploying across multiple clouds. The vendor ranks high on a wide variety of key criteria, including observability, optimization and autoscaling, APIs and IaC integration, and app-aware infrastructure.
Prosimo provides gateways for customers to deploy within their data centers and colocation facilities. The solution orchestrates network connectivity from the gateways to the Prosimo fabric running in the public cloud network. The main data plane components of the fabric run within the customer’s public cloud environment. The Prosimo management plane uses cloud-native constructs to orchestrate the edge gateways in any region and to secure connections with all edge gateways in the fabric.
The vendor uses ML-driven insights and real-time telemetry to offer topological visualizations, anomaly detection, path analysis, and optimization recommendations to detect and perform root-cause analysis of issues from an end-to-end perspective. Prosimo gathers multicloud telemetry from its global distributed infrastructure spanning multiple public clouds and user locations. This data is used by Prosimo’s ML engine, CIRRUS, which identifies the best path options to ingress clouds and routes within a cloud or across clouds, based on per-app policy definitions. Prosimo users get daily recommendations based on their traffic patterns to adapt their Application eXperience Infrastructure (AXI) footprint dynamically, which improves application performance and reduces cloud costs.
The solution also provides Layer 7 load balancing capabilities natively to spread the traffic across multiple target groups and map application topology based on access, load, and connectivity patterns. Requests can be routed to the right cloud region at a fully qualified domain name (FQDN) or URL level to improve application performance and availability. The AXI platform is built on a scalable Kubernetes-based architecture, which dynamically allocates compute and network resources as required with full orchestration capabilities.
Prosimo maintains a comprehensive API and extensive documentation that lets DevOps teams incorporate the solution’s capabilities via API integration. Out-of-the-box integrations with IaC tools such as Terraform are available for deploying Prosimo’s cloud transit and corresponding policies in existing CI/CD pipelines.
Strengths: With full Layer 3 to Layer 7 capabilities, Prosimo addresses the main challenges around application connectivity within and between clouds, offering a superior user and application experience compared to solutions that use only Layer 3 and 4 functions.
Challenges: The vendor could expand its troubleshooting capabilities further to include automatic self-healing features. It also needs a drag-and-drop network builder, which is currently under development as of early 2023.
VMware boasts an impressive portfolio of networking products to deliver comprehensive cloud networking capabilities. Its solution is composed of VMware NSX, Advanced Load Balancer (ALB), Tanzu Service Mesh (TSM), Tanzu Observability, and vRealize Automation, and it ranks high on most criteria described in this report, such as secure traffic and segmentation, observability, optimization and autoscaling, APIs and IaC integration, and app-aware infrastructure.
VMware’s cloud networking offering provides an end-to-end and fully featured stack from Layer 2 to Layer 7, supported by declarative APIs, integrations with IaC tools, and a low-code path for automation.
VMware NSX is a multicloud network virtualization and security solution that enables virtual cloud networking with a software-defined approach that extends across data centers, clouds, and application frameworks. NSX provides a native analytics engine that uses ML to offer suggestions and recommendations based on correlations between live and historical network traffic flows and compute workload inventory.
NSX also includes an advanced load balancer that provides multicloud load balancing, application analytics, and container ingress services. It identifies virtual services that may degrade performance due to traffic conditions, provides auto-scale load balancing capacity by spinning up new load balancer instances for the same virtual service, and automatically redistributes traffic.
For observability, Tanzu offers multicloud monitoring suited to DevOps teams, developers, and Kubernetes operators. It supports app discovery and baselining, application topology maps and traffic flows, historical and near real-time metrics, and app-to-infrastructure correlation heatmaps to help discover root causes of application performance issues.
One way VMware’s solution provides secure traffic and segmentation is by using both the NSX Distributed Firewall and the NSX Gateway firewall, which provide a software-only Layer-7 firewall for both network segmentation and microsegmentation for east-west traffic. The NSX Distributed Firewall supports both segmentation types in private, public, and multicloud environments. When operating in a public cloud environment, the customer can use either the NSX Distributed Firewall’s native controls or the controls provided by the public cloud for segmentation.
VMware’s extensive capabilities go beyond cloud networking, and that brings an associated complexity. These solutions are typically suited to large enterprises with complex environments that can make appropriate investments and go through long sales cycles. This makes VMware’s solutions less suitable for medium enterprises or single projects.
Strengths: VMware’s cloud networking solutions rank high on most criteria described in this report. The vendor offers extensive capabilities from Layer 2 to Layer 7, enabling enterprises with complex environments to modernize and optimize their infrastructure.
Challenges: With a range of products that have extensive capabilities, VMware’s solutions are complex from a technical, licensing, and pricing perspective.
6. Analyst’s Take
While multicloud networking was not a table stake (required feature) in this report, it is no surprise that it is one of the most sought-after capabilities. All vendors featured in this report who support hybrid and multicloud networking ensure that both connectivity and their services span the supported environments. This coverage includes visibility, security, and network optimization techniques.
In the previous iteration of the report, we defined one of the most important criteria on which we were seeing different maturity levels as application-aware infrastructure. In this iteration, we have taken a more granular approach, defining as key criteria both service-to-service connectivity—which includes applications and other types of services that run in cloud and on-premises environments—and content-aware traffic processing. And as in the previous report, both small and large vendors have varying capabilities here. Some enable cloud networking using Layer 4 constructs while others deliver Layer 7 services. We expect that there will be additional focus on service performance and health, and this will lead all vendors to pursue delivery of Layer 7 capabilities such as service discovery, monitoring, content-aware load balancing, and traffic filtering.
To support this application-first mentality further, support for DevOps, declarative networking via integrations with IaC tools, and availability of APIs are on top of most providers’ lists. All vendors featured in the report offer comprehensive APIs and must also include out-of-the-box integrations with Terraform, Ansible, Chef, Salt, and/or similar tools.
Cloud networking solutions have an innate focus on Day 0 and 1 activities, enabling users to design and deploy new networks easily. This facilitation is achieved by using drag-and-drop visual builders or IaC tools or walking through a setup wizard in the solution’s GUI. For Day 2 (operational) activities, we’ve assessed vendors on their solution’s troubleshooting and diagnostics performance, which varies widely. Vendors with mature capabilities in this area offer ML algorithms for data analysis and predictive maintenance, which can be used to perform self-healing. Vendors with less mature capabilities offer only basic functions, such as setting up thresholds to trigger alarms when performance gets degraded.
With more cloud migrations for enterprise customers coming and more cloud-first companies and services entering the market, we expect the adoption of cloud networking to increase, largely because it enables organizations to take a more agile approach toward their infrastructure. Rather than being limited by physical networking, cloud networking enables developers to access the resources and services offered by all types of infrastructure providers, for on-premises workloads, multiple public clouds, and an increasing number of edge locations. As part of the application development process, developers will be able to spin up (and down) networking resources according to their own requirements, without low-level networking knowledge, creating bespoke infrastructure that best serves the given application.
7. About Andrew Green
Andrew Green is an experienced technologist whose areas of expertise include enterprise IT, fintech, Internet of Things, artificial intelligence, and fixed and mobile connectivity. His engineering experience as an operational support system designer and radio networks optimization engineer helps him assess new technologies from both a technical and commercial perspective. Currently, Logan oversees Vodafone’s portfolio of managed IT products targeted at large enterprises. He has also been working as a technical writer and business strategist across the technology industry, helping mid-sized organizations define their propositions, offerings, and market positioning.
8. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.