BT

Heroku Adds Private Spaces for Isolating Cloud Apps

| by Richard Seroter Follow 6 Followers on Sep 16, 2015. Estimated reading time: 4 minutes |

Since being acquired by Salesforce  five years ago, Heroku has continued to evolve as a developer-focused, standalone PaaS. The recent beta announcement of Heroku Private Spaces –  included in the Heroku Enterprise bundle and part of the new Salesforce App Cloud – addresses a key Ops security concern while also bringing  clarity to the question of how to use Salesforce and Heroku together.

Heroku Private Spaces provide network isolation to application and data services running in the public cloud. Whereas Heroku users today simply have a choice to deploy apps to the “United States” or “Europe”, a Private Space can be deployed to Virginia, Oregon, Frankfurt, Dublin, Sydney, or Tokyo. In a blog post introducing the beta of Private Spaces, Heroku explained how they isolate applications yet maintain a shared control plane.

A Heroku Private Space contains all of the familiar elements of a Heroku app, including dynos and data services. These elements are deployed and run in network isolated environments, separating the “private” application, including its associated data, from the “public” systems that keep it up, running and healthy.

The new mix of multi-tenant control plane with private runtimes is what makes this architecture unique, and allows it to share an identical development and deployment experience with the Heroku you know today. You develop and deploy apps in Private Spaces just like you would normally on Heroku; Heroku Button, git push deployments, review apps, pipelines, seamless scaling, self healing and Elements Ecosystem — are all included in Private Spaces.

Developers who push multiple apps to the same space can share private data services and communicate with each other using any TCP or UDP port and protocol. Supported data services include Postgres, and Redis, both of which become dedicated service instances that reside in the Private Space. While the runtime and data services reside in the network-isolated Private Space, Heroku’s core services – including git repos and build services –  all reside in the Virginia region and do not get replicated into the Private Space. Customers can control access to the private network by whitelisting IP blocks. It does not appear that Heroku users have control over the IP space definition, or have the ability to do VPN connections into the Private Space.

This service targets system administrators and those looking for additional security controls. Heroku touts “no additional configuration or operational requirements to use your space” and the ability to use the same management dashboard for apps deployed to either the shared public fabric or a Private Space. if granular security controls are needed, then Heroku Enterprise customers can connect to Active Directory or Salesforce Identity via the new Heroku Identity Federation.

Does Heroku’s new enterprise focus help crystalize the strategy of the parent company, Salesforce.com? Analyst Ben Kepes has watched the Salesforce evolution, and believes they are finally starting to connect the dots.

Over the past eight or so years that I've been covering Salesforce, I've grown increasingly numb to the sheer number of different "clouds" it sells. There is, of course, the Salesforce Sales Cloud, but that has been joined by the Service Cloud, the Community Cloud, the Marketing Cloud, the Analytics Cloud, etc., etc. A few of us Salesforce watchers have been saying for a while now that perhaps the time has come to combine some of these clouds so that customers can get a consistent and coherent product mix.

Salesforce has needed to tell a more coherent story about how Heroku plays within the broader Salesforce platform context. By rolling it into App Cloud and layering a fabric of identity and access controls over the top of it, Salesforce has gone a long way toward answering some of the criticism that people had about what was starting to feel like a very inconsistent developer approach.

Ovum’s Laurent Lachal told InfoWorld that Salesforce is trying to make Heroku more “enterprise friendly.”

"Under Salesforce's influence, Heroku has expanded from its original audience of individual developers targeting the consumer market to enterprise developers creating enterprise applications," he said.

The SalesForce App Cloud promises “that developers can use both Heroku and Force services to build applications going forward, and customers won’t have to worry about what in those applications runs where,” according to Barb Darrow at Fortune. While Heroku was typically targeted at external-facing apps and Salesforce targeted at employee-facing apps, executive vice president of App Cloud Tod Nielsen believes that customers can now bring these experiences together.

Nielsen agreed that historically Heroku and Force.com appealed to different constituencies, but he maintained that this is changing. “Enterprise customers want agility and features found in Heroku but the problem is they don’t trust the public internet, while they trust Salesforce.”

Gartner’s Yefim Natis pointed out that Salesforce and Heroku have extremely different architectures and development experiences, but it could turn out to be advantage.

Natis said customers need both types of development expertise. First, there is the high-control environment, used by business people who are not necessarily code jockeys to create applications that fit their compliance needs. Second, there is the high-productivity type used by true geeks who want to hand wire applications from scratch to get exactly what they want.

“You need both types [of development] and Salesforce.com has both,” Natis added. “Of the big names in tech, only Salesforce has both high-control and high-productivity tools, lightly integrated.”

Heroku Private Spaces is in beta, with no pricing available until general availability in 2016. Customers who join the beta get a sandbox Heroku Enterprise account with Private Spaces turned on.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT