The present inventive concepts relate to communications networks. In particular, the present inventive concepts relate to systems, methods and computer program products for accessing network services from external networks.
Cloud-based computing services are becoming ubiquitous in the information technology (IT) industry. In a cloud-based system, services consumed by a business may be hosted and managed by a remote cloud service provider instead of being hosted by the business. The physical resources employed by the cloud service provider, such as servers, storage devices, communication devices, etc., can be shared among multiple consumers, allowing IT customers to benefit from economies of scale that they may not be able to achieve on their own. Moreover, these resources can be reallocated dynamically by the service provider to meet changing demands.
Cloud-based services may be hosted in a manner that allows the service provider to provide redundancy, load sharing, automated backups, and other features in support of the customer's services. In addition, cloud-based services may provide a number of other benefits to IT consumers, as the customer may experience reduced infrastructure costs, reduced IT management costs, and an increased ability to respond to changing market conditions.
However, even when an IT customer relies on cloud-based services for at least some of its IT processing needs, the IT consumer may still host some services themselves within private networks. These may include legacy services that cannot easily be migrated to a cloud service provider, services that the IT consumer prefers to maintain as strictly enterprise-based services, services that for some other reason cannot be migrated to a cloud service provider, or services that generate data that for security reasons cannot be exposed to the cloud.
When an IT consumer relies on both cloud-based services and private enterprise-based services, it is sometimes necessary for the cloud-based services to access the enterprise-based services, and vice versa.
For example, in an example network configuration shown in FIG. 1, an IT consumer may operate a private communications system 10 that hosts enterprise services 12. The IT consumer may also consume cloud services 14 that are hosted by a cloud service provider within a cloud 15. For example, the cloud services 14 may include a mobility service, a credit card processing service, etc., and the enterprise services may include a directory service, a certificate authority, a content management service, etc. Although specific examples are provided in the various embodiments described herein, many other different types of services may be provided as cloud services and/or enterprise services.
The enterprise services 12 may reside inside the private communications system 10 (e.g., within an Intranet) behind a secure firewall (not shown) in an effort to limit access to the enterprise services 12 to authorized entities only.
To enhance security of the enterprise services 12, external communications with the enterprise services may be routed through a virtual private network (VPN) server 13 that establishes VPN connections with the cloud services 16 that are authorized to access the enterprise services 12. This approach may thereby provide a number of secured site-to-site VPN tunnels 18 between the VPN server 13 and the respective cloud-based entities 14, which may include cloud-based clients and/or cloud-based services.
However, this solution is not ideal. From the standpoint of the cloud service provider, each VPN tunnel 18 may require manual configuration, and each cloud service may need to support various VPN protocols and networking vendors. Thus, the establishment and maintenance of VPN connections to new IT consumers may be laborious, as the VPN connections for each new IT consumer may require customized configuration and setup.
From the standpoint of the IT consumer, each VPN tunnel is a direct connection to the cloud 15, as a site-to-site VPN opens up access to remote cloud-based services. Each VPN connection represents an entrance point to the private communications system 10 that could potentially be subject to security breaches instead of exposing only those services that are required for operation.