A Business Case for Internet-Bypass Solutions to the Clouds in 2023

ABSTRACT

In 2023, all major Cloud Service Providers support access over the public Internet, but increasingly enterprises are securing their cloud traffic using dedicated private networks. All have automated Internet-Bypass connection solutions supported by a stable of competing private network providers.?

This white paper is a presentation of a business case for?Internet-Bypass for each of the clouds. The business case identifies where it is cheaper to exchange traffic over a secure private network instead of over the public Internet.?

?To create a business case across the major clouds we generalize the clouds’ Internet-Bypass solutions, and provide the reader with a “rosetta stone” of translations between the terms used for this across three major clouds (Amazon Web Services, Google Cloud Platform, and Microsoft Azure). We use the simple general model of extending an in-region data center over a private network to the cloud presence for illustration.

The paper’s summary is that it is provably less expensive to interact with your corporate cloud presence over a private network when you have more than 25Mbps of traffic. Beyond this, the cost of the private network is entirely paid for by the cost savings from the reduction in cloud Internet egress fees.?A business case for securing the enterprise cloud network using 2023 prices is presented.?

Keywords: Cloud Networking, Internet-Bypass, Cloud Computing, Enterprise Networking, Cloud Economics, Cloud Router

?1. Cloud Internet-Bypass Solutions

All major cloud services offer an “Internet-Bypass” solution for directly connecting to their customers, and for good reason. Today’s Internet is continually under attack. Further, the scale of nation-state-sponsored cyber attacks may dwarf the scale of current Denial-of-Service (DoS) attacks. Because all Internet traffic traverses the same routers and links used by DDoS attackers, there is a potential for collateral damage, including network congestion manifested as latency, jitter, and packet loss.

?The simplest way to mitigate the risks of all Internet-based affects is to bypass the Internet altogether.

The Internet, as a side effect of being open, brings with it a large attack surface for cyber attackers. There are 4.3 networks on average between any two destinations attached to the public Internet. Each of these networks operates potentially many routers and links, each of which can be a target for compromise. Internet traffic can be mirrored, redirected, archived. Even encrypted traffic can be decrypted off-line over time. Internet service necessarily delivers packets across untrusted network devices.?

All major clouds address these availability and security risks with Internet-Bypass solutions. In 2023, clouds have stables of network providers, bringing thousands of buildings on-net to the clouds. These now mature services make it easier for all enterprises to “do all that is practicable” to secure their corporate networked assets.?

?In 2023, organizations across industries depend on cloud-based applications for business-critical work flows. Even medium sized organizations today depend on hundreds of cloud-based services. For enterprise applications that require continuous access to external networked resources, all of the cloud Internet-Bypass solutions provide a dedicated private network alternative to the public Internet. Blockchain operators who need always-on network connectivity to peer validators, and distributed artificial intelligence meshes both demand focus to use of cloud network in a financially efficient way.

This paper focuses on the business case for using the cloud Internet-Bypass solution to connect a corporate?Internet Data Center a few of the largest cloud services: Amazon Web Services (AWS), Microsoft Azure (MAZ), and Google Cloud (GCP).?We are ignoring the network security and performance improvement benefits to solely look at the cost savings derived from bypassing the Internet.

Throughout the paper the cloud-specific terms are introduced with a hyperlink table of cloud-specific terms as shown in Table 1.

Let’s start by comparing the model and cost of the Internet-access model to accessing cloud resources using 2023 pricing.?

?2. Public Internet Access to the Cloud

All clouds charge for traffic that leaves their cloud (see Table 2 for the cloud-specific names and links to pricing of these Egress Traffic fees).

Egress traffic is charged by traffic volume (in $/GB) each month. In addition, on the corporate data center side, an Internet Service Provider charges a metered rate (in $/Mbps) each month. These two cost components are shown in Figure 1.

To estimate the combined volumetric and metered cloud traffic expenses, we will make the simplifying assumption that the traffic between the corporate data center and the cloud is a steady bi-directional flow of traffic at 50Mbps, 100Mbps, 200Mbps, etc.?We will focus on these rate denominations since these are common Internet-Bypass port sizes for the clouds. We see the corresponding resulting number of GB generated volumetrically for each rate each month in Table 3.

With Table 3 we see the volume of traffic to be spread across the cloud pricing tiers to calculate monthly cost. For example, a 50Mbps of traffic flow that generates 16,200 GB per month will span Amazon’s “1st 10TB” tier at $0.085/GB and the remainder from the “Next 40TB” tier at $0.08/GB. See Internet cost tables in the appendix.?

By dividing the cloud total monthly Internet egress expenses by the number of Mbps we can calculate the effective Internet Egress Fee in $/Mbps in Table 4.?

Let’s compare these effective Internet Egress Fees against the cost of sending that traffic over the clouds’ Internet-Bypass solution.

Notes from the field: The High Cost of Cloud Networking

The Internet cost tables spotlights the high cost of traffic costs that leaves the cloud.?

When taking the cloud Internet egress expenses into account, we see that the effective Internet traffic costs hovers around $20/Mbps in a market where the wholesale Internet Transit?is less than $1/Mbps in 2023.

The telecom industry prices continue dropping 20%+ per year, while the clouds have held customer network prices comparably steady during over the last ten years.?

3. Components of Internet-Bypass Solutions

All major Cloud Service Providers have a branded Internet-Bypass solution as shown in Table 5.?

Definition: An Internet-Bypass Solution enables organizations to connect remote locations to their cloud resources not using the public Internet (i.e. private network).?

They have their own names for similar functioning components of their model, shown as hyperlinks to the cloud on-line documentation.

Table 5 - Cloud-Specific Internet-Bypass Terms

The generalized direct connection service can be abstracted as three main parts illustrated in Figure 2.?

Corporate Data Center Side. An enterprise connects its corporate data center (on the left) to its corporate cloud presences (on the right) bypassing the public Internet with Private Network Transport.?

Cloud Side. The heart of the cloud presence is a secure network-isolated environment in which to run workloads, a Virtual Private Cloud to use AWS parlance. These connect to the outside world using some flavor of virtualized network interface, operated via the cloud portals or programmatically via APIs.

Layer 2 Private Network Transport in the middle. All clouds have their own names for the underlying components of their models. Generically, Private Transport Providers interconnect with their cloud after some form of verification or certification. In 2023, all clouds have a rich collection of competing private transport providers shown in their directories in Table 5.

Private Network Transport Providers sell dedicated network connectivity into the public clouds, collectively bringing thousands of buildings on-net with the public clouds.

From the perspective of the cloud service provider, the Transport Provider typically hands off some combination of tagged VLANs shown graphically in Figure 2A. The VLAN traffic can then be passed to the Corporate Cloud Presence as shown in Figure 3, 4, and 5.

With the underlying Internet-Bypass solution generalized, we can now construct the Internet-Bypass cost model and then break-even analysis for each cloud’s Internet-Bypass solution. Each business analysis will allow us to say (see iIllustration 1):

“When we exchange 50Mbps with our cloud it generates 16,200 GB each month at about 8 cents per GB. We can secure this traffic leasing a private network for $796/mo, which works out to about $15.91/Mbps. The next best alternative is to continue to use our public Internet and pay about $26.92/Mbps. At 50Mbps this should save us about 40% on cloud expenses and enhance security by utilizing a private network to bypass the Internet.”

4. A Cost Model for Internet-Bypass Solutions

All clouds have three costs associated with its Internet-Bypass solution connecting a corporate Internet Data Center to a cloud presence within a region.:?

1. a Cloud Internet-Bypass port,?
2. Private Network Transport, and?
3. Egress Traffic Fees for traffic sent over the Internet-Bypass port (by volume).

Cloud Internet-Bypass Port

All clouds offer an hourly direct connection port rental, but to simplify our example we will apply a monthly use and corresponding 2023 price points as shown in Table 6.

Private Network Transport?

Similarly, many private transport providers can lease out their network on an hourly basis, for our illustration we apply a monthly use and corresponding price points as shown in Table 7.

While these prices vary materially across markets, Figure 7 shows that these transport costs are less material to the business case as traffic scales.

A couple of price quote samples for transport costs are shown in Table 8 and Table 9, highlighting the effective metered rate of a private network (Source: ConsoleConnect, courtesy Neil Templeton).

Internet-Bypass Egress Traffic Fee

All three clouds charge 2 cents for all egress traffic sent through the Internet-Bypass connection instead of over the public Internet.

Reduction in ISP Traffic Fee

Another nuance to the Internet-Bypass cost model is that we deduct the Internet traffic cost for the traffic now sent over the Internet-Bypass port.?

This complication to the formula however has little impact on the business case; we are decreasing the relatively cheap ISP cost (set to $1/Mbps) in a context where the total cost of the Direct Connect Connection solution will turn out closer to $20/Mbps. This adjustment turns out not have material effect on the business case.

Internet-Bypass Breakeven Point

We add up all of the costs of the Internet-Bypass solution and see a point where the cost of sending the traffic over the direct connection exactly equals what the cloud would charge us to send that traffic over the public Internet.?This Internet-Bypass Breakeven Point is graphically depicted in each of the upcoming business cases:?

Notes from the Field - Some Observations about Cloud Networking

Across the clouds the Internet-Bypass discount model seems to be:

If you bring your own private network transport to the cloud, you and the Cloud Service Provider will split the cost savings.

The enterprise gets the security of ownership of the network path all the way from their remote location to their cloud presence, and the clouds still get 2 cents per GB egress traffic fees for all traffic that leaves their cloud, without any incremental network costs!?

This demonstrates walled garden market pricing power inherent in cloud networking. Prices outside the cloud demonstrate open market pricing while cloud egress fees have remained relatively static.

The other observation is that the private network transport costs are immaterial compared to the cloud egress fees in the business case as shown in Figure 7.?As the Internet-Bypass traffic grows, the majority of the cost (and cost savings) are from reducing the cloud’s own egress fees.

As traffic grows to 10Gbps, the network transport provider earns only10% of the revenue derived from a 10Gbps of Internet-Bypass deployment as shown in Figure 7.

5. A Business Case AWS Direct Connect

To answer the question,?

“When does AWS Direct Connect save money?”

we compare the cost of a full month of bi-directional traffic from a remote in-region data center to the cloud over the Internet and do the same over the cloud Direct Connect solution.

In Table 10A, note the Summary Internet-Bypass Business Case on the right side. This shows the scale of the cost savings when the Internet-Bypass ports are fully utilized. We see the cost savings in absolute dollar and percentage terms across the Internet-Bypass port sizes.

Table 16B plots the first few Mbps of traffic sent over the Internet or over the Internet-Bypass solution. Specifically it highlights the Internet-Bypass Breakeven point of 24Mbps, where all costs of the private network are covered by the cost savings from reducing the cloud’s Internet egress traffic fees.?

Summary: Under the assumptions in this model, if you have more than 24 Mbps of AWS traffic, Table 10B shows how AWS Direct Connect reduces network costs. In absolute dollar terms, Table 10B shows that when your AWS Internet egress fees exceed $661/month, Direct Connect may be a cost saver. The Internet-Bypass solution remains cheaper on into the 10Gbps rates.

?A Business Case for Google Cloud Interconnect

To answer the question,?

“When does Google Direct Connect save money?”

we compare the cost of a full month of bi-directional traffic from a remote in-region data center to the cloud over the Internet and do the same over the Google Cloud Interconnect solution.

In Table 11A, note the Summary Internet-Bypass Business Case on the right side. This shows the scale of the cost savings when the Internet-Bypass ports are fully utilized. We see the cost savings in absolute dollar and percentage terms across the Internet-Bypass port sizes.

Table 11B plots the first few Mbps of traffic sent over the Internet or over the Internet-Bypass solution. Specifically it highlights the Internet-Bypass Breakeven point of 25Mbps, where all costs of the private network are covered by the cost savings from reducing the cloud’s Internet egress traffic fees.?

Summary: Under the assumptions in this model, if you have more than 25 Mbps of AWS traffic, Table 11B shows how AWS Direct Connect reduces network costs. In absolute dollar terms, Table 11B shows that when your Internet egress fees exceed $689/month, The Internet-Bypass solution remains cheaper on into the 10Gbps rates.

7. A Business Case Azure ExpressRoute

Microsoft brings a different interconnect model requiring dual ExpressRoute circuits and ports but the business case remains the same.?

To answer the question,?

“Does Azure ExpressRoute save us money?”

we calculate the cost a full month of bi-directional traffic with the cloud over the Internet compared to over the Azure ExpressRoute solution.

In Table 12A, we see the Summary Internet-Bypass Business Case on the right side shows the scale of the cost savings across the direct connect ports offered. We see the cost savings in absolute dollar and percentage terms.

Table 12B shows the cost structure up to the Internet-Bypass Breakeven point of 28Mbps, the point where all costs of the private network are covered by the cost savings from reducing the cloud’s Internet egress traffic fees.?

Summary: Under the assumptions in this model, if you have more than 28 Mbps of Azure Internet traffic, Table 12B shows how Azure ExpressRoute reduces network costs. In absolute dollar terms, Table 12B shows that when your Azure Internet egress fees exceed $726/month, Azure ExpressRoute may be a cost saver.

?Summary

This business case for Internet-Bypass Solutions in 2023 demonstrates that if you have roughly 25Mbps or more?traffic with your Cloud Service Provider, then using a private network may pay for itself.?

Stated in dollar terms, enterprises should explore any of these Internet-Bypass solutions as a cost reduction method when cloud Internet egress fees exceed $700/month.?

Network managers should monitor Internet egress traffic fees and upgrade to a private network connection when cloud egress traffic to the remote site approaches 25Mbps.?

If you are looking to cut cloud expenses, Internet egress fees to reach remote locations is a simple thing to check, and the optimization is a well-practiced solution.

Why does it work out cheaper to bring your own private network? ?

1. The Internet Egress Transfer fees the cloud charge is the dominant component of cloud networking costs, working out to over $20/Mbps. Reducing these network costs by 75% ($0.085 to $0.02/GB in AWS example) has a sizable impact as shown in the AWS Summary Direct Connect Business Case Analysis.?
2. The Internet Transit and Private Network Transport market historically have experienced price declines of 20-30% per year. Thousands of buildings on-net with the clouds means that there is a highly competitive open market for private network transport to the clouds. This resulted in the ever decreasing costs for network outside the cloud.
3. The business case hurdle is to cover the fixed cost of the port and transport with the lower cost traffic. The fixed monthly cost of the port and the transport make the first few Mbps very costly on a unit basis, but after roughly 25Mbps the unit cost decreases as shown in Figure 6. The breakeven point occurs very early and the cost savings continues from this point forward.

10. Acknowledgements

Thanks to Dr. Christoph Diesel (DEC-IX), Maurice Dean (LynkState), John Hill (DE-CIX), Paul Gampe (PCCW/ConsoleConnect), Neil Templeton (ConsoleConnect), Ben Kirkpatrick (Oracle), Tom Kaczynski (Meta), Carmella Weatherill (Google) for their early insights and data points on this white paper.?

11. About the Author - William B. Norton

Mr. Norton is most widely known as “Dr. Peering” for his peering white papers and his book “The Internet Peering Playbook: Connecting to the core of the Internet.?He also served as Co-Founder and Chief Technical Liaison for Equinix from 1998-2008, was part of the founding team for Console Connect, and served as Co-Founder for Syntropy, a Lithuania-based Web3 crypto software company. He served as the first chairman of NANOG during the transition to the modern commercial Internet. Today Mr. Norton is a consultant and an innovator at the intersection of Internet Interconnection and Web3.

LinkedIn: https://www.dhirubhai.net/in/williambnorton/?

Full Disclosure

The author is a named inventor on patents related to a ConsoleConnect invention in the “cloud router” area and several in the decentralized performance-based routing area utilizing blockchain.Appendix A - Internet Egress Fee Cost Tiers

Appendix - Internet Cost Tables

All clouds charge volumetrically for all traffic that leaves their clouds. Pricing is tiered based on volume each month. These tables show the cost of sending cloud traffic over the public Internet to a remote data center which is paying $1/Mbps for Internet. We assume a sustained bidirectional flow to highlight the effective metered cost for traffic exchange with the clouds.?

The AWS Internet Cost Table shows the metered data flows as GB per month allocated across the pricing tiers specified in the AWS CloudFront service.

The Google Internet Cost Table shows the metered data flows as GB per month allocated across the pricing tiers specified in the Google Standard-Tier Internet Egress price table.

And the Azure Internet Egress is served by the Internet Service Providers with egress charging explained across many Microsoft Azure pricing tables.