New research about the value of the Internet2 NET+ Service Evaluation Process is now available. According to an in-depth analysis conducted by a group of graduate students in the Kelley School of Business’s Graduate Program (GAP) Field Consulting program at Indiana University (IU) last year, an average of 500 staff hours per institution was saved from community-led cloud services evaluations. 

“When institutions adopt a service directly, they must dedicate internal staff time, develop complex legal documentation, and run costly RFPs,” said one of the MBA students who was a part of the IU research group. “NET+’s  service evaluation process preempts this resource drain.”

For those institutions who subscribe to NET+ services, “our analysis confirms that this rigorous, collaborative service evaluation process replaces redundant, high cost due-diligence across dozens of universities and research institutions with a single, expert evaluation,” the student continued. 

The service evaluation process saves time, reduces risk, and accelerates adoption of technology. New York University’s Stratos Efstathiadis, who participated in the recent NET+ Portkey service evaluation process, described it as “a demonstration of collaboration and efficiency… The synergy among peer institutions ensures Portkey meets the diverse AI requirements of higher education.”

Because the 20+ services that make up the NET+ portfolio were fully vetted by their peers in research and higher education (R&E), the program’s nearly 600 subscribing institutions receive benefits beyond discounted pricing. They save time and money when determining which cloud services to procure and benefit from community support during adoption. Implementing new cloud services is valuable; saving staff time in the process is priceless.

Less Leg Work, More Modernization

There never seem to be enough hours in a day. This is especially true for IT teams at R&E institutions. In addition to ensuring day-to-day operations run smoothly, they are responsible for identifying and procuring new technology services for their campuses. 

How efficient is their process for procuring and deploying new technology? According to the Higher Ed Innovation Index 2025, 49% of campuses are accelerating tech investments, but 44% cite implementation as their biggest challenge. Further, when surveyed, only 14% of higher ed leaders were confident in their speed between the planning, execution, and analysis cycles necessary for adoption of emerging technology. 

NET+ service evaluations, many of which take place over three months, provide the adoption accelerator that R&E institutions need to deliver the cloud services their stakeholders want more confidently and efficiently. Guided by the NET+ team, their peers do the leg work, so they don’t have to. 

A participant in the service evaluation for the NET+ Miro service, Joseph Vaughan, CIO and vice president for computing and information services at Harvey Mudd College, appreciated how thorough the process was. Vaughan said, “I found the experience reassuring – the level of scrutiny, thoughtfulness, and resources (the big institutions have specialists in all sorts of areas that we can only dream of) gave me even more confidence about signing on to a NET+ agreement.”

The IU research team’s work reflects his sentiment. Through data analysis, interviews, and benchmarking, the team concluded that the NET+ program delivers efficiency by consolidating complex legal and technical vetting across peer institutions, accelerating service adoption from months to potentially days.

Community Collaboration, Vetted Value

The service evaluation process not only accelerates R&E adoption of cloud services, it ensures that this community’s unique needs are met. Service evaluations function as a workforce multiplier that reduces total cost of adoption through collaborative evaluation, shared expertise, and risk reduction.

Rick Rhoades, manager, cloud services and Linux server, The Pennsylvania State University and sponsor of the NET+ Kion service, put it this way, “Internet2’s NET+ service evaluations really show the tremendous value that can be realized when we leverage the entire higher education community.” 

“We [were] excited to be one of 12 institutions that participated and evaluated many key concerns from institutions today, like accessibility, security and compliance, and favorable contract terms,” Rhoades continued. “The relationships that are formed through this community-driven process lay the foundation for institutions to successfully meet their needs together, now and for years to come.”

The process reflects the NET+ commitment to solving community-identified needs with shared, scalable solutions in emerging technology areas.

Principles of the Process

The NET+ Service Evaluation Process is designed to ensure that candidate services meet the stringent technical, security, and operational requirements of Internet2 members. The Service Evaluation Process follows the established NET+ methodology to ensure thorough vetting of each service:

1. Technical Assessment: Evaluation of architecture, security, and integration capabilities based on community user experiences
2. Compliance: Assessment of security and accessibility through HECVAT and VPAT reviews, with commitments to relevant laws and standards like FERPA, HIPAA, and WCAG.
3. Contract Negotiation: Development of higher education terms and pricing
4. Launch: Comprehensive documentation for portfolio inclusion

A geographically diverse set of public and private institutions representing Internet2 higher education members and Internet2 affiliate members participate in service evaluations. This broad participation helps ensure that the solution meets the unique and varied needs of institutions across different regions and sizes, from large research universities to smaller private colleges. Services undergo a series of technical evaluations, pilot deployments, and community reviews, ensuring they are fully vetted before being made broadly available through the NET+ Program.

“Given the hidden costs and time constraints associated with solo procurement of cloud services, the NET+ Program’s collaborative service evaluation model serves as a catalyst for bringing the best services to R&E more quickly,” said Sean O’Brien, associate vice president, NET+, Internet2.

Support NET+ Service Evaluations

Every hour dedicated to NET+ service evaluations is an investment in the community’s successful adoption of emerging cloud technologies. The NET+ Program helps the community move intentionally, so R&E institutions can proceed more quickly and confidently in deploying cloud services. 

To learn more about the IU team’s research or express interest in participating in NET+ service evaluations, please contact the NET+ team at [email protected].

About NET+

The Internet2 NET+ Program brings together the collective expertise, influence, and buying power of research and education institutions to thoughtfully accelerate cloud adoption by enabling programs and services that act as a workforce multiplier for the community we serve. Powered by a higher ed peer community, NET+ makes the cloud work better for research and education.

< Back to Internet2 News

Network operators in research and education face an ongoing challenge: maintaining granular control over routing decisions as cloud connectivity architectures grow increasingly more complex.

The new Route Policy feature in Internet2 Insight Console Virtual Networks helps address this challenge. It provides network operators with the tools they need to secure, optimize, and configure their Border Gateway Protocol (BGP) routing infrastructure.

What is Virtual Networks Route Policy?

Route Policy allows network operators to define how BGP routes are handled. Think of it as a customizable filter and transformation engine sitting at the edge of your network, evaluating every route announcement and applying your organization’s networking logic before routes are accepted or advertised.

At its core, Route Policy uses a match-and-action model. You define conditions that routes must meet (the “match” criteria), then specify what should happen to routes that meet those conditions (the “action”). 

This simple but flexible framework unlocks critical use cases that address real operational pain points: staying under provider route limits, blocking bad announcements before they spread, and ensuring BGP selects the paths you intend.

Use Case 1: Protecting BGP Peers from Max Prefix Limitations

Cloud providers impose strict limits on the number of routes they’ll accept over BGP sessions. Exceeding these thresholds can have immediate consequences. 

Amazon Web Services, for example, limits BGP sessions on private virtual interfaces and transit virtual interfaces to 100 routes each for both IPv4 and IPv6. If you exceed this limit, AWS will place the BGP session in an idle state, effectively taking the connection down.

For organizations managing multicloud environments or large campus networks with numerous subnets, accidentally crossing this threshold is a real risk. Adding a new subnet or changing routing configuration could push you over the limit and cause an unexpected outage.

Route Policy provides prefix-limiting and filtering capabilities that act as a safeguard before routes reach your cloud provider. You can configure policies that only advertise specific, well-aggregated prefixes to each cloud provider while blocking more granular subnets, ensuring you stay well under their limits. 

In multicloud scenarios, you might advertise different route sets to different providers based on their limits and your traffic engineering requirements. AWS might receive one set of aggregated routes, while Azure or Google Cloud receives another, each managed through distinct route policies.

Use Case 2: Improved Network Security and Route Leak Prevention

Route leaks — where networks accidentally advertise routes they shouldn’t — remain one of the most persistent threats to routing stability. A single misconfiguration can cause outages by attracting traffic that should flow elsewhere.

Route Policy acts as your first line of defense. By explicitly defining which routes each network will accept from peers and which routes you’ll advertise outbound, you create guardrails that prevent accidental route propagation. 

For example, you might configure a policy that accepts only routes matching specific AS-path patterns from a particular peer, or one that prevents your internal prefixes from being advertised to certain connections. 

This “allowlist” approach means that even if something goes wrong upstream or downstream, your carefully crafted policies keep problematic routes out of your routing table.

Use Case 3: Traffic Engineering with Attribute Modification

Not all paths through the network are created equal. 

You might have multiple connections between cloud and campus, with some offering better performance, lower latency, or lower costs for certain types of traffic. Route Policy gives you the tools to influence path selection by modifying BGP attributes.

Through attribute modification, you can adjust metrics like local preference, AS path prepending, MED (Multi-Exit Discriminator), and BGP communities to steer traffic along your preferred paths. Perhaps you want to prefer one connection over another for traffic destined to a specific provider or campus, or you want a deterministic path and failover between connections. Route Policy lets you encode these traffic engineering decisions directly into your routing configuration, ensuring traffic flows according to your operational and business requirements rather than relying solely on BGP’s default best-path selection.

Getting Started

Internet2’s Route Policy feature is now available for Layer 3 connections using the Virtual Networks Cloud Router in Insight Console. The console interface provides an intuitive way to create and manage policies, with full documentation available to guide you through configuration options.

Whether you’re looking to improve your network security posture, implement traffic engineering, or protect your networks from route overload, Route Policy gives you the control and flexibility you need. As cloud connectivity continues to grow in complexity, tools like this become not just helpful — but essential.

If your institution uses Virtual Networks Cloud Router, now is the time to explore Route Policy, what it enables, and how you can use it to be most effective. 

Ready to get started? Visit the Route Policy documentation for step-by-step guidance through all available configuration options. Then log in to Insight Console to configure your first policy today.

ICYMI

• Restoring Critical Cloud Access Through Internet2 Insight Console’s New Route Policy
• Internet2 Insight Console Now Reveals Your Network’s Routing Intentions

When asked about the importance of identity proofing in lieu of the new federal requirements,  Ann West, senior director of Strategic Partnerships & Research at InCommon, says identity proofing is one of the most powerful strategies institutions have to mitigate fraud. 

“But it’s not an IT problem,” West stated. “It’s a business problem that touches admissions, HR, the registrar, financial aid, and research administration all at once.”

Multi-factor authentication (MFA) was once the golden practice, but even it is no longer enough. Its effectiveness depends on the strength of the identity being authenticated. Attackers know this, so they target enrollment, onboarding, and account recovery, posing as incoming students to obtain a “real” credential in the first place.

“Strengthening identity and security is fundamentally an institutional process challenge, and that’s what makes it both complicated and consequential,” West said. 

For many campuses, the hard part is not agreeing if identity proofing is needed. The truly hard part is figuring out where identity proofing actually happens across campuses, who owns those processes, where current security gaps lie, and turning loose practices into a robust approach that keeps faculty, staff, and student data safe. 

“Identity fraud in higher education is no longer an edge case. It’s a systemic risk that costs institutions hard dollars, compromises institutional brand, and undermines the integrity of research,” said West. 

Because it can seem like a major undertaking to implement identity proofing systems while juggling the day-to-day, Internet2 and InCommon are making it easier by providing resources and opportunities to meet you at any point of your identity proofing journey.

These resources will help you get aligned, get specific, and get moving by enabling you to:

• Build a stronger understanding of identity proofing through key terminology, frameworks, NIH guidance, and community-shared resources.
• Identify meaningful use cases on your campus and better understand the operational and financial implications of identity proofing.
• Take practical steps through hands-on workshops, assessments, and an 8-week accelerator focused on creating a roadmap for identity proofing readiness.
• Apply community-informed guidance to better support researchers, institutional systems, and long-term strategy.

“Acting now means campuses can build toward prevention rather than scrambling to meet a hard deadline while managing a breach or an audit,” West explained, speaking about this community-driven support offered through both InCommon and Internet2. 

West’s point underscores the challenge facing higher education: this is not simply about checking a box on a federal requirement by 2027. It’s about building a stronger, more coordinated approach to identity proofing that protects institutional operations, research, and trust before pressure turns into crisis.

Get Ahead of 2027

With 2027 approaching, institutions don’t have time to start from scratch or work in isolation. Explore the resources, guidance, and community support available now to assess your readiness and start building a smarter path toward compliance.

FAQs

In case you missed the January 2026  IAM Online, “Making it Easier for Researchers: NIH’s use of InCommon for Controlled-Access Data,” here are three questions from our session to help shape your understanding of the NIH and federal compliance.

But this wasn’t a singular complaint. It was a consistent frustration across the higher ed community, and Internet2 NET+ was intent on making sure it didn’t remain one, raising the concern to AWS.

Gerard Shockley, director of IT at Boston University, has been working with Transit Gateway since 2018 and has been advocating for better cost visibility for almost as long. 

“When Transit Gateway came out, I asked for two things: to make it free for higher education, and give us observable metrics across attachments,” Shockley recalled. Free wasn’t on the table, but AWS began considering ways to improve visibility into Transit Gateway usage.

Shockley’s individual advocacy for change was not having the desired impact.

Making the Case, Together

Shockley wasn’t alone. Starting in 2021, institutions like Carnegie Mellon, Northwestern, the University of Colorado, and the University of Utah raised this issue through Internet2 NET+ AWS, a community of AWS and Cloud Infrastructure Community Program (CICP) subscribers who meet bi-weekly to discuss shared learning and challenges. 

The group’s request was consistent: give us the ability to attribute Transit Gateway costs to the accounts using the service, not just to the organization that owns the service.

AWS listened. In November 2025, they released Flexible Cost Allocation for Transit Gateway, allowing administrators to direct network traffic costs to the source or destination account when appropriate. The feature supports granular configuration down to individual flow levels, enabling precise, consumption-based chargeback models.

The Outcome of Community Influence

Chris Manly, program manager of Cloud Infrastructure and Platform Services at Internet2, has seen the budget reality behind these challenges firsthand, pointing out stark differences between higher ed and corporate environments while highlighting the benefits of a service provider that listens.

“It’s often a frustrating reality in higher ed that budgeting and financial frameworks preclude the best technical architecture,” Manly said. “Flexible cost allocation allows schools to use the best technical approach without needing to compromise due to budget constraints.”

Unlike commercial environments where centralized infrastructure costs often come from a single budget, In higher ed –especially for externally funded research – costs need to flow back to the department or grant that generated them. When you can’t do that, you’re left choosing between good architecture and workable finances.

Transit Gateway cost allocation removes that tradeoff.

As Kevin Murakoshi, principal solutions architect at AWS and lead technical resource for the NET+AWS community, points out, “A whole feature was released because of the Internet2 community advocacy,”. It came from years of  sustained conversation between AWS and the higher ed community through the NET+ AWS program during which institutions articulated the same need and documented the demand.

As an ongoing effort to refine the flexible cost allocation feature, the team at Boston University is currently evaluating it and will provide useful feedback to the AWS service team. Shockley notes that being part of the NET+ AWS community and working with AWS has been a seamless experience and that seeing the community’s feedback turn into real product improvements makes the effort worthwhile.

The success of this feature launch is a testament to the power of the NET+ program. By bringing together institutional experts and vendor partners like AWS, the community ensures that cloud services are optimized for the unique needs of research and education.

Join the community that turns feedback into features and institutional change.

Your institution’s challenges shouldn’t be a casual sigh or another “just the way it is.” Add your voice. Shape the tools your institution depends on.. For CICP subscribers, this is a clear example of participation turning into influence.

In Campus Technology’s 2026 Cybersecurity Trends to Watch in Higher Education, Kevin Morooney, vice president of trust and identity and NET+ cloud programs at Internet2, shares his perspective on OpenID Federation’s potential as a next-generation trust framework for research and education (R&E).

“Over the last few decades, identity and access management trust federations have enabled students, faculty, researchers, and staff on college and university campuses to access a wide range of online services and resources using a single set of credentials issued by their home institution,” Morooney said.

2025 Advance CAMP Series: How IAM Teams are Adapting Practices to Address Operational Pressures

InCommon is publishing a series of blogs to recap what we learned from the IAM community during Advance Camp at the 2025 Internet2 Technology Exchange.

The second blog of the series focuses on operational approaches, automation strategies, and emerging practices that emerged during ACAMP discussions. See how IAM teams are responding to challenges around scale, security, and sustainability.

ICYMI

• Internet2’s Chris Wilkinson Appointed to Global Network Advancement Group Leadership Team
• perfSONAR Celebrates 20 Years of Simplifying Global Research Collaboration Through Standardized Network Measurement and Testing
• Indiana University’s NEA3R Expands with Internet2, Boosting Global Research Connectivity
• CANARIE, ESnet, GÉANT, and Internet2 Unveil Highest Capacity Transoceanic Connectivity for Research and Education