Redes Multi-nube para Empresas: Buenas Prácticas en Azure + AWS + Kubernetes
¿Qué es una red multi-nube? (explicación sencilla)
Una red multi-nube es como conectar varias ciudades digitales (por ejemplo, Azure, AWS y Kubernetes) para que puedan comunicarse y compartir recursos de forma segura.
Antes, las empresas usaban solo una nube, pero ahora es común usar varias para aprovechar lo mejor de cada una.
En este artículo, te explico cómo diseñar y conectar redes en diferentes nubes, aunque nunca hayas trabajado con ellas.
Arquitectura de Referencia
1. Estructura Base de Red
# Terraform - Azure VNet
module "azure_network" {
source = "./modules/azure-network"
vnet_name = "multi-cloud-vnet"
address_space = ["10.0.0.0/16"]
location = "westeurope"
resource_group_name = azurerm_resource_group.networking.name
subnets = {
app = {
name = "app-subnet"
address_prefix = "10.0.1.0/24"
}
data = {
name = "data-subnet"
address_prefix = "10.0.2.0/24"
}
k8s = {
name = "aks-subnet"
address_prefix = "10.0.3.0/24"
}
}
}
# AWS VPC
module "aws_network" {
source = "./modules/aws-network"
vpc_name = "multi-cloud-vpc"
cidr = "172.16.0.0/16"
region = "eu-west-1"
subnet_configuration = [
{
name = "app-subnet"
cidr = "172.16.1.0/24"
az = "eu-west-1a"
},
{
name = "data-subnet"
cidr = "172.16.2.0/24"
az = "eu-west-1b"
}
]
}
Conectividad entre Nubes
1. Azure Virtual WAN
resource "azurerm_virtual_wan" "multicloud" {
name = "multicloud-vwan"
resource_group_name = azurerm_resource_group.networking.name
location = var.location
type = "Standard"
}
resource "azurerm_virtual_hub" "main" {
name = "main-hub"
resource_group_name = azurerm_resource_group.networking.name
location = var.location
virtual_wan_id = azurerm_virtual_wan.multicloud.id
address_prefix = "10.1.0.0/16"
}
2. AWS Transit Gateway
resource "aws_ec2_transit_gateway" "main" {
description = "Multi-cloud Transit Gateway"
tags = {
Name = "multicloud-tgw"
}
}
resource "aws_ec2_transit_gateway_vpc_attachment" "main" {
subnet_ids = module.aws_network.private_subnet_ids
transit_gateway_id = aws_ec2_transit_gateway.main.id
vpc_id = module.aws_network.vpc_id
}
Seguridad y Microsegmentación
1. Network Security Groups (Azure)
resource "azurerm_network_security_group" "app_tier" {
name = "app-tier-nsg"
location = var.location
resource_group_name = azurerm_resource_group.networking.name
security_rule {
name = "allow-internal"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "10.0.0.0/16"
destination_address_prefix = "10.0.1.0/24"
}
}
2. Security Groups (AWS)
resource "aws_security_group" "app_tier" {
name = "app-tier-sg"
description = "Security group for application tier"
vpc_id = module.aws_network.vpc_id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["172.16.0.0/16"]
}
}
3. Network Policies (Kubernetes)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-network-policy
spec:
podSelector:
matchLabels:
app: web
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
purpose: production
ports:
- protocol: TCP
port: 80
Monitorización y Observabilidad
1. Azure Network Watcher
resource "azurerm_network_watcher" "main" {
name = "network-watcher"
location = var.location
resource_group_name = azurerm_resource_group.networking.name
}
resource "azurerm_network_watcher_flow_log" "main" {
network_watcher_name = azurerm_network_watcher.main.name
resource_group_name = azurerm_resource_group.networking.name
network_security_group_id = azurerm_network_security_group.app_tier.id
storage_account_id = azurerm_storage_account.logs.id
enabled = true
retention_policy {
enabled = true
days = 7
}
}
2. AWS VPC Flow Logs
resource "aws_flow_log" "main" {
iam_role_arn = aws_iam_role.flow_log.arn
log_destination = aws_cloudwatch_log_group.flow_log.arn
traffic_type = "ALL"
vpc_id = module.aws_network.vpc_id
}
Optimización del Rendimiento
1. Azure ExpressRoute
resource "azurerm_express_route_circuit" "main" {
name = "expressroute-circuit"
resource_group_name = azurerm_resource_group.networking.name
location = var.location
service_provider_name = "Equinix"
peering_location = "London"
bandwidth_in_mbps = 1000
sku {
tier = "Premium"
family = "MeteredData"
}
}
2. AWS Direct Connect
resource "aws_dx_connection" "main" {
name = "direct-connect"
bandwidth = "1Gbps"
location = "dx-location"
}
Implementación de Service Mesh
# Istio Configuration
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: multi-cloud-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: multicloud-cert
hosts:
- "*.example.com"
Automatización y CI/CD
# GitHub Actions Workflow
name: Network Infrastructure Deployment
on:
push:
branches: [ main ]
paths:
- 'terraform/networking/**'
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: $
aws-secret-access-key: $
aws-region: eu-west-1
- name: Setup Azure CLI
uses: azure/login@v1
with:
creds: $
- name: Terraform Apply
run: |
terraform init
terraform plan -out=tfplan
terraform apply -auto-approve tfplan
Mejores Prácticas
- Diseño de Direccionamiento IP
- Evitar superposición de rangos
- Planificar para crecimiento futuro
- Documentar asignaciones
- Seguridad
- Implementar Zero Trust
- Microsegmentación
- Encriptación en tránsito
- Monitorización
- Logs centralizados
- Métricas de rendimiento
- Alertas proactivas
- Optimización
- Balanceo de carga global
- Rutas optimizadas
- Caché distribuido
Conclusiones
La implementación exitosa de redes multi-nube requiere:
- Planificación detallada
- Automatización robusta
- Monitorización completa
- Seguridad integrada
Próximos Pasos Recomendados
- Auditar la infraestructura actual
- Desarrollar plan de migración
- Implementar piloto
- Escalar gradualmente
- Monitorizar y optimizar