You’ll likely encounter vendors using the same labels for similar yet different solutions. Some of these products don’t really compete and are not interchangeable. So unless you’re aware of this polysemy, it will be very hard to navigate the vendor landscape. This whole phenomenon results from new developments that vendors try to productize and market, but they do so in isolation and are expectedly biased toward their own vision.
The polysemantic technologies that I’m describing in this post are:
Cloud Networking
Edge Cloud and Cloud Edge
Distributed Firewall
I would start this by giving you a short definition for each of those, but the whole problem is that they have multiple definitions, so I’ll attempt to explain all of them.
Cloud Networking
I’ve found five types of products that are advertised as Cloud Networking solutions. None of them are wrongly labeled because they all deal with connectivity for outsourced infrastructure services. These are:
Networking in and across clouds: You may hear this type of solution reduced down to “VPCaaS” (virtual private cloud as a service), as their original scope was to orchestrate public cloud-native networking functions across clouds. This is so organizations do not have to deal with AWS networking and Azure networking separately. These products have evolved way beyond the original scope, but their main focus is still to provide a single interface for managing networking across different public clouds. Example vendors include Aviatrix, Prosimo, Alkira, and F5.
Networking in the data center and in the cloud: Cisco, Arista, Juniper, and VMware (by Broadcom) are incumbents in data center networks. They’ve virtualized some of their appliances, which can now be deployed in the cloud to extend the management plane to cover both on-premises data centers and public cloud environments. More complex solutions than the ones above, but can also be more granular.
Networking between clouds, but not in clouds: You’ll encounter these solutions from network-as-a-service vendors (NaaS), who use their private backbones to connect on-premises environments to clouds, but they do not orchestrate the networking constructs inside any environment. Some examples are Aryaka, Packetfabric, Perimeter 81 (acquired by CheckPoint), and Graphiant.
Networking native to the cloud: organizations consume software-defined services in the cloud, and part of that software-defined infrastructure are container networking interfaces (CNI). Isovalent’s (acquired by Cisco) open-source CNI, Cilium, is widely used as the native CNI for some public cloud services. So, when Isovalent says cloud (native) networking, their enterprise-grade version of Cilium does the networking for containers and Kubernetes hosted in public clouds, among other things. It can also be used on-prem, but that’s so 2000 and late.
Professional services for networking in the cloud: easiest one to explain - these are professional services that likely use one or more technologies from those named above to help organizations define their networks. Vendor examples include Kyndryl, Epsilontel, Orange Business Services, and others.
Edge Cloud and Cloud Edge
Terrible product titles! But I can make sense of them as follows:
Cloud means outsourced infrastructure services.
Edge technically means the topological edge of the network. What network? We don’t know, which is why edge has multiple definitions, including far edge and near edge. I generally describe something as being edge if it supports <20ms roundtrip latency, which is not a perfect definition, but it will include the products below.
So, Edge Cloud or Cloud Edge are outsourced infrastructure services within 20ms of the end-user. Two vendors that meet this exact definition are Fastly and Zadara. You likely heard about Fastly, and you know they’re a CDN. But people think CDNs are not cool anymore (even though they are), so Fastly is now also an Edge Cloud Platform, as is Zadara.
But while these two are consumed as-a-service, other Edge Clouds will be deployed on your premises. GCP’s Distributed Cloud Edge is a fully managed hardware and software product that runs applications at the edge. Lumen’s Edge Private Cloud is the same thing, but without the whole set of hyperscaler services that Google has.
Between Fastly-Zadara and GCP-Lumen, you can tell that the former are far edge, and the latter are near edge, but both of them meet the <20ms threshold, which makes this taxonomy exercise a biteasier.
We’re only dealing with product names here, but also note there are dozens of other vendors that have the same offerings as the ones above, they just name it differently.
We’ve also got HPE’s Edge-to-Cloud platform. While the offering itself is more difficult to understand, the jist of it is ‘unified management from edge to cloud’. It’s also worth noting that this product has nothing in common with the previous ones, but the name is more intuitive.
I thought this would be all, but I’ve also found ngrok’s Edge Cloud product. I really wish I could explain it, but the only thing I can tell is that it somehow brings security, scalability, and observability to apps with no code changes. 🤔
In case this Edge Cloud spiel isn’t confusing enough, we’ve got a lot of vendors that want better SEO rankings for Edge Cloud. So, here are a bunch of different explanations courtesy of: VMware, Hitachi Ventara, Rakuten Symphony, Intel, Dell, Adtran, and Ciena.
Distributed Firewall
Distributed firewalls are a thing (because they have a Wikipedia page). But let me reiterate the premise of this post - technolgies that have the same name but don’t compete and are not interchangeable.
I’ve got three Distributed Firewall products:
VMware’s NSX Distributed Firewall: A firewall capability built into the VMware hypervisor that filters ingress and egress traffic to virtual machines running on top.
Aviatrix’s Distributed Firewall: This is the second time Aviatrix is mentioned in this article through no fault of their own. Their product names make sense, and they are a reference vendor for cloud networking. Their Distributed Firewall is an agentless method of filtering traffic and creating segments in the cloud, with the firewall service embedded into the native cloud infrastructure.
HPE Aruba’s CX 10000 Switch: It provides a distributed stateful firewall for east-west traffic. It’s a networking appliance that you install on the top of a server rack in the data center to switch traffic, and it can also filter traffic at layer 4 and enforce segmentation policies between different racks (in a leaf-spine architecture).
While HPE does not have Distributed Firewall in the name, it follows the same architecture concept as VMware and Aviatrix’s - enforcing traffic policies at multiple points in the network rather than doing it with a single appliance at the perimeter.
TL:DR—Technology is hard. Everyone knows that. In today’s ever-changing world, organizations face architectural challenges exacerbated by inconsistent nomenclature.
One of my biggest pet peeves in our industry currently, and you elucidated the concept along with some specific examples far better than I have so far!
Thanks for your help! Your knowledge is much appreciated