| 4 min read

Should I use the Internet to access my private cloud?

By  Regan Hughes,
 20 October 2016


There are two main methods to get your private data to the cloud - but which is the best for your business? Regan Hughes weighs up the options.

Private cloud services like AWS and Azure are becoming more accepted as a place to store private company data in NZ. There are two main methods to get your private data to the cloud:

  1. 1. Encrypted tunnel over the Internet
  2. 2. Private WAN connection using a service like Azure ExpressRoute or AWS Direct Connect

Here is some information that might help you to weigh-up the different choices as both options have pros and cons.


Encrypted tunnels 

Using an IPSec tunnel across your existing Internet service is a great way to get started. It has a relatively low start-up cost, is secure and can be set up quickly if you know what you’re doing.

It does have some drawbacks though.

  • It can become expensive to scale IPSec to higher bandwidths from a firewall perspective.
  • Often an IPSec tunnel will come back to a single point in your network, meaning all of your sites must connect to your cloud through that bottleneck.
  • Some applications don’t like being encrypted in IPSec tunnels and this can result in packet fragmentation or the encryption process itself causing jitter.
  • IPSec tunnels can have stability and compatibility issues between different vendors that can appear and/or change when either you or your cloud provider upgrades firmware.

Internet routing – is it best or will it slow down during the busy period?

Probably the biggest drawback however, is the use of the Internet itself.  The first consideration here is the path that your Internet provider takes to your cloud provider.  Ask yourself a few key questions: Is it the most direct route?  Does it slow down when consumer users are busy, e.g. school holidays?  Can it sometimes be re-routed to a sub-optimal path to manage congestion?

Will your own users impact your business applications using the Internet?

The second and perhaps most important issue is whether or not you can guarantee that your own Internet users won’t be chewing up your Internet bandwidth at a time that your business wants to hit the private cloud hard.  If a key application has a busy work load scheduled for a time when say the Olympics is live streaming or Apple have released a major update, then you may be stuck with sluggish performance.



Accessing your private cloud via a dedicated private WAN circuit eliminates most, if not all, of the issues with IPSec. That is:

  • The path is predictable and if you have the right provider it will be high performance.
  • There are no compatibility issues with IPSec or applications running across it.
  • You can control the Quality of Service to ensure that you have both guaranteed bandwidth to the cloud and that you can prioritise your cloud applications.
  • You can scale from 1Mbps to 1Gbps using the same equipment a lot of the time.
  • And the Olympics won’t mess with your database sync.

Direct access into your WAN

One of the best benefits for some, is that a private WAN circuit means all sites in your network can access your private cloud directly, without having to trombone through a central choke-point.

There is a drawback

The major drawback is the cost which is usually higher than using your Internet service (putting aside any hidden maintenance costs).  This means that you would only consider this option if you’re putting business critical applications in your private cloud.




If you’re beginning your private cloud journey or if you’ve decided that it will be a place for non-essential data that doesn’t need the best performance or reliability, then encrypted tunnels are the way to go.

If you’re taking the step to put business critical applications up in the cloud, it may be worth treating your private cloud as another site on your WAN, with similar bandwidth guarantees and latency/packet-loss metrics.