by Claudio Scola
Society has moved beyond smoke signals and carrier pigeons, but given the ever-changing demands on your business, your network may still be in need of some modernization. Businesses are rapidly moving to the cloud and getting the right blend of public and private cloud is critical in supporting the future demands of IT. The data center has evolved into various ‘as a Service’ (XaaS) models and the network is following suit. If you’re considering or already using a CSP (Cloud Service Provider) or even just SaaS based applications, your network needs to evolve. How?
1. Private Cloud Connectivity
Public cloud is no longer just a development sandbox. Applications that demand scale and agility are migrating to public cloud. The first thing you can do is to take advantage of the increasing number of direct connectivity options open to you. If your data center was accessible via private networks, then why not your Virtual Private Cloud (VPC)? For shared workloads and Disaster Recovery (DR) sites, look to choose a scalable layer 2 connection between your DC, DR and VPC sites. For direct branch office access, look for a layer 3 direct connection option.
Cloud connectivity gives you predictable and controllable app performance. It also simplifies your approach to securing your VPC access. Your network service provider should already have 10 Gbps interconnects with your CSP at all of their locations and be able to provide you with up to 3 Gbps of bandwidth over these physical connections. If you require more, the service provider should be able to provide you with a dedicated interconnect.
Software defined networking (SDN) is transforming the way WANs work just as it did for the data center industry. Networks used to be configured manually by logging into each device through a terminal and typing text-based instructions to configure it. With standard network services, ‘config’ files are pasted in from templates and variables such as IP addresses and bandwidth values are edited. This basic method has hardly changed in decades, but now, SDN is finally modernizing service delivery. SDN allows this control to be orchestrated by a software program that automatically configures all the network elements required to build or change the service. This ‘Lifecycle Service Orchestration’ means that the timing of your commercial and functional changes to your network service can happen in minutes instead of months. Control can be presented via a portal or API (application programming interface) just like your public cloud service. If done right, this movement towards Network as a Service allows you to control your user experience to match the changing needs of your business.
The best place to start is with your carrier Ethernet connectivity between your clouds, especially if you’re moving to a hybrid cloud model. When sharing computer workloads between different clouds, your business really needs an agile, dynamic network. Otherwise the necessary connectivity becomes cost prohibitive through over provisioning of masses of bandwidth and the change control could be cumbersome, impeding your cloud transformation. SDN-enabled carrier Ethernet overcomes this bottleneck. Once SDN is enabled across the cloud interconnect to the CSP, via an API, you will have full end-to-end dynamic control of that network service right into your VPC.
3. Public-Private Agnostic Branch Connectivity
Not all of your applications are going to be deliverable via private connectivity such as an MPLS/IP VPN. There will always be something important to your business that is delivered over the Internet. We underestimate our growing dependence on Internet-based applications partly because we don’t manage the corresponding piece of tin in the data center. The modern WAN is a public-private agnostic WAN because end-users and branch offices need to get straight out onto the public Internet to minimize latency. This means the concept of ‘Central Internet Breakout’ has evolved into ‘Local Internet Breakout’. You should not have to worry about how much bandwidth is required for the individual MPLS/IP VPN and Internet services. The balance will change over time as you progress on your cloud journey. You should only need to worry about how much total bandwidth you need. There are several ways of achieving this:
A) Converged Multi-Service Port
With modern Ethernet access to your VPN, it is possible to deliver different services over the same physical port. VPN + Internet can be delivered via logically separated VLANs over the same physical circuit. At the local PoP (Point of Presence) the service provider should be able to switch the Internet VLAN straight out onto the Internet and the private network VLAN straight into the MPLS/ IP VPN. This way you maximize the ROI over the most expensive part of the network, which is the last mile access.
B) IPSec Split Tunnel
For less critical sites, smaller sites or sites that are just hard to reach for enterprise-grade connectivity, you may be leveraging the Internet for WAN access. Local Internet traffic can pass straight out onto the Internet and private traffic can use an IPSec tunnel. This mode of operation is call IPSec split tunnelling.
C) Hybrid WAN Access
A Hybrid WAN is where you use physically separated Internet and MPLS/IP VPN circuits as part of your WAN delivery to the branch. Both circuits are used concurrently and can failover to each other in the event of a single circuit failure.
4. Hybrid WAN and SD WAN
The time is right to start considering using both the Internet and MPLS/IP VPN to provide connectivity to the branch site. MPLS provides reliability, SLA-backed performance and the ability to prioritize different applications using Class of Service (CoS). The Internet can provide a cost effective way of augmenting the ‘Best Effort’ Class of Service as well as providing local Internet breakout as outlined above. With the growth in SaaS based applications, dependence on social media and Wi-Fi, the role of the ‘best effort’ class of service is changing. It’s no longer good enough to take the legacy WAN approach to this traffic class, which is to limit it to protect the critical applications. The modern way is to find a cost effective augment of the ‘best effort’ bandwidth. There are several ways of augmenting this traffic class. If you are using a fraction of your port speed, you could use a committed bandwidth level with usage-based billing of burst traffic or use a hybrid WAN. The advantage of a hybrid WAN is that the dual access can provide a higher availability solution but it can be difficult to configure and manage effective load-sharing of traffic across both links. By investing in SD WAN CPE (Customer Premises Equipment), the load-sharing of traffic becomes simpler to manage.
If you’re considering SD WAN CPE, then do make sure that your solution supports Local Internet Breakout, access to your CSPs and the basic routing functions need to utilize the WAN links without the additional expense of routers.
5. Ubiquitous Network-Based Security
To maximize cloud application performance, the modern WAN delivers Internet straight into the branch office instead of hair-pinning through a central firewall. Individuals are more mobile now with an increasing number of enterprise applications being supported on phones and tablets. Trusted perimeters have dissolved, revealing a borderless network. Most businesses today don’t want to buy and manage a whole bunch of branch office firewalls, especially after their IT centralization and data center consolidation projects from a few years ago. The modern WAN utilizes security within the network service provider’s PoPs to protect sites and individuals from threats and to provide secure remote access VPNs. There are some important aspects to remember when selecting cloud based security:
A) Ubiquity – The security PoPs need to be located close-enough to the end users to minimize latency from hair-pinning traffic and to have high quality local connectivity to the Internet
B) The security appliance needs to be a next-gen firewall in order to provide application layer ‘secure web gateway’ functionality
C) Policies need to be self-service configurable on a per-user, per-group and per-site basis. The main way to manage this is by having a domain controller directory service (such as Microsoft Active Directory) federated with the security solution. Security Assertion Markup Language (SAML) allows this seamless integration to happen and hence the support differentiated classes of access within the security policy. To put it another way, the business gets to enforce a more holistic compliance policy.
D) Powerful business-aligned policies are only possible with good visibility of traffic analysis up to the application layer and by domain user-group.
6. Outsource the Management
With the increasing demands on the IT department to grow and transform the business, the CIO is driving the department to focus on and eliminate risk from growth and transformation initiatives. They don’t want to pull resources off these initiatives to help keep the lights on; a business’ precious resources should be focused on what differentiates the business and improves customer experience. This means that outsourcing the day-to-day management of IT and network operations is an increasingly common practice. If your business is large enough to justify dedicated network operations people, then why not buy this resource as a service from your WAN provider?
The days of the legacy MPLS/IP VPN are numbered. Modernizing the WAN involves a holistic approach to the design, management and technology choices that CIOs need to make. By making the right choices, you can gain a competitive edge. By getting it wrong, you could choke progress.