Who is allowed to access which data and when? How large must the dimensions of which systems be? And how do IT managers keep an overview? Designing a hybrid cloud infrastructure is a complex challenge. After all, every industry and every company have different requirements and different budgets: "Off-the-shelf solutions don’t exist here and wouldn’t make sense either. What's more, not all companies have in-house specialists who are capable of designing a complex hybrid cloud infrastructure," says Sascha Smets, Senior Product Manager Open Telekom Cloud at T-Systems. "That's why more and more companies are turning to us for our expertise. We help companies design, build and operate these kinds of IT topologies.“

Companies need to balance costs against performance, complexity, security, and latency. The four most common topologies that enterprises can use to design hybrid cloud architectures are: public front, private front, private isolated and cleansheeting.

The public front topology is suitable for companies that on the one hand want to benefit from the scalability and flexible costs of the public cloud, but on the other hand don’t want to give their customers access to their private cloud instance. External requests automatically end up in the public cloud. Requests are only forwarded from there to the private cloud when necessary. Direct access to the private instance is reserved for company employees via a secure connection. And what is the reason for this? The public front topology enables companies to process particularly sensitive data on their own on-premises resources without having to forego the advantages of a scalable public cloud.

They can also use this construct to protect their systems from unexpected traffic peaks. If requests via Internet Protocol (IP) end up in the public cloud, their own network – the private cloud – is spared this traffic. If there are suddenly a lot of requests, these can be easily intercepted in the public cloud using the freely scalable resources available there. As a result, companies only use and pay for exactly as much as they need for their web frontend and backend and at the same time benefit from maximum security and low latency thanks to their own resources in the private cloud. On-premises resources can be reduced to a minimum, keeping overall costs low.

If you are looking for information about things like train connections, transfer times or the current traffic situation, you can get it from the public cloud, because that’s where the web frontends and backends are located. Even in the event of an unexpected number of requests – for example in the event of a rail strike or thunderstorms – the website is able to cope because the resources in the public cloud scale automatically with the demand.

It’s only when someone wants to book a ticket that the private cloud comes into play. This is where personal data is stored and processed, as well as sensitive data such as billing information or company-internal data. It would be similar, for example, with a cinema booking portal. Here, too, all requests that generate high traffic can run into the public cloud. For example, the hosting and playback of movie trailers. Only the booking process, during which sensitive personal data and payment information is generated, is handled using the private cloud.

Sometimes, however, exactly the opposite scenario makes sense: If unexpectedly high traffic can be ruled out, private front models can also offer advantages. For example, companies that run all IP requests through their on-premises resources have the best possible overview of where the different requests are coming from – and therefore can control all network access. The advantage: maximum information and control. With this topology, companies can track in real time who retrieves what information and when. And in the event of unwanted requests – such as Distributed Denial of Service (DDoS) attacks – they can block or redirect the corresponding IP addresses.

In addition, companies that use a private front topology meet the highest security and compliance standards. This prevents customer data from entering the public cloud, even temporarily, as is the case with the public front topology. This model could, for example, be of interest to manufacturers of machines that are networked with a platform hosted in the private cloud. Because data from machines that is assigned to specific customers is also legally considered personal data, providers prefer to store it in the private cloud. And they can do so knowing that there will be no issues related to data protection and that the amount of data remains calculable at all times: Anyone who receives machine data can count on a constant flow of information without any sudden traffic peaks.

Nevertheless, companies can also benefit from the advantages of the public cloud in the private front model, such as for burst scenarios, analyses or machine learning processes. They can, for example, make customer or machine data anonymous before they transfer it to the public cloud to analyze it or use it to train an AI. This can be data from an ERP system that is used to forecast the purchasing behavior of customers, or data from machines used by customers for predictive maintenance processes.

The disadvantage of the private front topology is the slightly higher cost. That’s because, in order to guarantee the availability of their own services at all times, companies need a level of resources in the private cloud instance that is at least equal to the maximum expected use – including external requests. This means that the on-premises share must inevitably be greater than the public front topology, which is reflected in correspondingly higher costs for the non-scalable resources.

However, although the interaction between private and public clouds can work very well, certain application scenarios require a strict separation between the instances. In some industries, for example, there can be no connection between on-premises and public cloud instances. "Some companies are confronted with this problem because most providers only offer a hybrid cloud solution with an existing connection to the public cloud instance," says T-Systems cloud expert Smets. "In Germany, only the Open Telekom Cloud Hybrid currently offers a completely separate operation of public and private cloud resources on the basis of an identical hardware and software architecture.“

By operating the instances in isolation, companies can handle customer requests via the public cloud. Automotive companies use the public cloud for less sensitive processes such as hosting their website, including a car configurator. However, confidential company data such as the construction drawings of prototypes, crash test or wind tunnel simulations never leave the company premises for security reasons and are carried out in the private cloud – without any connection to the outside world.

The most complex topology is the combination of all the variants: With so-called cleansheeting, companies create a complex set of rules that shows which user may access which resources at which time. Companies thus combine all the advantages of the different operating concepts. Employees no longer have to worry about where the required resources come from and can concentrate on their core business – both in the company divisions and in IT. Each request is served by an automated broker from the public or private cloud, according to specific parameters, and the most cost-effective operating mode is chosen – taking the policies into account. This saves companies twofold: once through automation, and once again through the most cost-effective operating mode.

Customers are also guided by an automated logic into the private or public cloud, depending on their request. They are only allowed direct access to the private cloud under certain conditions, but companies are still well prepared for sudden traffic peaks thanks to the public cloud. Sensitive data remains in the private cloud.

The difficulty with this topology is the effort involved and the challenge of keeping an overview. "In cleansheeting, every mistake can have serious consequences. Designing such an architecture requires in-depth expertise," says Smets. "That’s another reason why companies should consider relying on an experienced partner like Deutsche Telekom, which not only takes care of the design, but also subsequently implements the operation and maintenance if necessary, so that all the company’s employees can really focus on the core business.“

Companies interested in planning a hybrid cloud architecture with the help of Telekom can contact the Open Telekom Cloud team directly.