Taxonomy of network architectures
A high-level overview of each type of network architecture that CDP supports.
At a high level, there are several types of network architectures CDP supports. As can be expected, each type brings a unique tradeoff among various aspects, like ease of setup, security provided, workloads supported, and so on. This section only provides a high level overview of each type. The characteristics of each type is explained under appropriate sections in the rest of the document. The users must review the advantages and disadvantages of each of these taxonomies in detail before making a choice suitable to their needs.
|Publicly Accessible Networks||Deploys customer workloads to hosts with public IP addresses. Security groups MUST be used to restrict access only to corporate networks as needed||Easy to set up for POCs. Low security levels.|
|Semi-Private Networks||Deploys customer workloads to private subnets, but exposes services which data consumers need access to over a load balancer with a public IP address. Security groups or allow-lists (of IP addresses or ranges) on load balancers MUST be used to restrict access to these public services only to corporate networks as needed.||This option is fairly easy to set up too, but it may not solve all the use
cases of access (in
Semi Private Networks). The surface of exposure is reduced, and it is reasonably secure.
|Fully Private Networks||Deploys customer workloads to private subnets and even services which data consumers need access to are only on Private IPs. Requires connectivity to corporate networks to be provided using solutions like VPN Gateways, and so on.||Complex to set up depending on prior experience of establishing such connectivity, primarily due to the way the customer has to solve the corporate network peering problem. But it is very secure.|
|Fully Private Outbound Restricted networks||This is the same as Fully Private Networks. Except, in addition, Cloudera also provides a mechanism for users to configure an outbound proxy or firewall to monitor or restrict the communication outside their networks.||Most complex to set up, mainly considering the varied needs that data consumers would have to connect outside the VPC on an evolving basis. It is also the most secure for an enterprise.|