SD-WAN - Rethinking Enterprise Architectures
SD-WAN solutions securely address distributed applications
There is a paradigm shift occurring in the enterprise. Application sprawl is the consequence of running IT in a world where public and private cloud coupled with microservice architectures has truly disaggregated the traditional application stack. Traditional Wide Area Networks (WANs) were built to address monolithic application stacks that were hosted in a central location with a relatively fixed path from client to access resources. Business critical applications are no longer centrally located – they can exist everywhere.
Changing business needs are forcing a different thinking when designing enterprise architectures. Today, enterprise architectures focus on a larger solution that integrates the WAN, cloud and security into a single architecture. This article will explore how enterprise architectures are evolving and provide insight into why these changes are critical to your business.
The evolution of the network
An evolution of the data center network architecture occurred with the onset of distributed computing since many were designed to support the original client/server models with north-south traffic patterns, where much of the traffic was in and out of the environment. As applications became more distributed within the data center, it started driving the need for east-west traffic patterns to allow data flow between nodes to enable more efficient communications. Spine-and-leaf switching architectures were designed to enable better scalability and higher performance.
The WAN is evolving to become the enabler for distributed applications beyond the data center. Traditional WAN architectures are limited in much the same way that traditional data center switching architectures were limited. Traffic flows that used to be north-south are changing to require data to flow more efficiently east-west. WAN edges are now being deployed in the public cloud and in carrier neutral or co-location facilities to enable more flexible traffic patterns.
Traditional CLOS switching architectures enable multistage switching. Similar architectural models are now becoming the standard design foundation for the WAN. As the diagram below illustrates, having multiple crossbars enable greater scalability in switching networks.
References: https://en.wikipedia.org/wiki/Clos_network
Carrier-neutral facilities, such as Equinix, are becoming the intermediate crossbar for the WAN that interconnects to public cloud services, private data centers and the internet. Having an intermediate node deployed within a carrier-neutral facility, co-location facility, or even public cloud infrastructure enables greater scalability and resiliency in the WAN. The figure below illustrates how carrier neutral facilities can be designed as the intermediate "crossbar" of the WAN. The branches connect to the carrier neutral facility nodes that in turn connect to the applications hosted in a private data center, public cloud or hosted as a service.
Making the WAN smarter: The advent of the software-defined WAN
Traditional WAN designs are not enabling the agility that is being demanded. Organizations are looking to create new models that are scalable and fully cloud enabled. Commodity Internet bandwidth needs to be a core component for cost containment and user experience but is limited by current security architectures. Security needs to evolve to support a positive user experience where traffic can utilize the best path while remaining compliant and secure.
Software-defined WAN (SD-WAN) technology has been developing for the past few years and has quickly gained acceptance within the market. The foundational components of SD-WAN include transport independence, path intelligence, application aware routing and central management. Many OEMs including Cisco, VMware and Silver Peak have complete SD-WAN solutions that are widely deployed.
Now that SD-WAN capabilities are mainstream, the foundation has been built for a more scalable WAN architecture, down to the level of the application need. The network topology can be flexible based on the application needs. Service Level Agreements (SLAs) can be configured on the edge device and applied to a specific topology at the application level.
SD-WAN architecture must components include:
- Integrated security
- Native cloud support
- Virtualization
- Automation
Integrated security is critical
The days of limited Internet connection points for an organization are limited, if not history. Initial WAN designs that utilized Internet connections only allowed WAN transport using an IPSec tunnel to establish a connection back to the central data centers. There was very limited, if any, Internet breakout at the remote sites. As more applications are moving to the cloud, there is a new demand to utilize all available Internet bandwidth to enable better user experience. There are several options that can be utilized to achieve this functionality:
- Tunnel traffic to a centralized or regional security stack
- Tunnel traffic to a cloud security stack
- Trusted application breakout
- Guest traffic local hand off
- Full direct Internet access for all users
A mix of options will most likely be utilized to achieve the balance of performance with security compliance. Many organizations are choosing to deploy a regional security stack that balances a well understood security footprint expanded to a few regional hubs that improve responsiveness and resiliency of the hub sites. Trusted application breakout of known SaaS applications, including Microsoft Office 365 are gaining acceptance allowing for these applications to directly access the local Internet connection while sending all other traffic back to the regional hub site.
While guest traffic is designed to utilize the local Internet connectivity at the location, most organizations do not allow for internal employee traffic to reach the Internet using the local connection due to security concerns. Security models have not evolved to support Direct Internet Access (DIA) for internal traffic. However, cloud security platforms are emerging that meet enterprise security requirements without the complexity of deploying a large number of devices at each remote site that will enable DIA in the near future.
Native cloud integration provides the foundation
Initial connectivity to the cloud was established as an extension of the core data center as applications were migrated to the public cloud infrastructure. This created a non-optimal traffic flow for users. As more applications were deployed as a service, traffic patterns started to trombone in the data center, meaning traffic came into the data center from the branches and then sent back out over the Internet to the Software-as-a-Service (SaaS) providers. This is a continuing trend that was first seen in data center switching networks. Cloud based services are changing traffic patterns causing a demanding for more scalable architectures.
WAN architecture options that support cloud include:
- Direct connection to cloud provider from private data centers
- Intermediate nodes at regional peering points/carrier neutral facilities
- Connection to cloud providers utilizing public Internet connections and VPN
Current trends in WAN design use direct Internet connectivity to SaaS providers since many SaaS providers have regional hubs that can provide better in region user experience. SD-WAN solutions such as Cisco SD-WAN Cloud onramp for SaaS feature provide monitoring and intelligent routing at the application level to ensure a high-quality user experience for these applications even if the local Internet connectivity is degraded.
For Infrastructure as a Service (IaaS) providers, many organizations are opting to design regional peering points at facilities such as Equinix. Equinix provides facilities across the globe the ability to support regional performance requirements and strong resiliency by having multiple regional locations. At the carrier-neutral facility, WAN edges are deployed to terminate tunnels from the remote sites and direct connectivity to public cloud providers, including AWS Direct Connect and Azure Express Route. Equinix also allows organizations to peer directly with many ISPs helping to reduce transport hops in the service provider networks, ensuring better connectivity using commodity Internet connections.
Some organizations are opting to go directly into the public cloud providers using the public internet. Public cloud providers such as AWS and Azure provide IPSec connections directly into the cloud. This is a good method for initial connectivity to the cloud and long term as a backup solution, however larger enterprises prefer to use a direct connection using technologies like AWS Direct Connect or Azure Express Route since the connectivity costs can be substantially reduced.
Virtualization enables agility
Early routers were designed using custom hardware such as ASICs to ensure that packets were processed and routed efficiently. It was a severe performance hit when a packet had to be processed by the CPU using a software process. Those days are over, thanks to Moore's law. CPUs performance has reached a level that software-based networks are viable alternatives to dedicated hardware functionality and offer more flexibility and a longer useful life, since software can be more easily upgraded.
Network Function Virtualization (NFV) describes the process of virtualizing networking functions on standard x86 based hardware. Networking functions including routers, firewalls and WAN optimization devices can now be deployed as Virtual Networking Functions (VNFs), where multiple functions can be deployed on a single hardware platform. Over time these VNFs can be upgraded to support new features and functionality. In the future, networks will be a software-based system that can be managed much differently than the hardware networks of today. Software-based systems can provide agility by allowing upgrades without the requirement to swap the hardware foundation.
Automation to reduce complexity
Automation will become a critical component to reduce the complexity of network operations. Automation is not a new concept, but how it is being deployed to the WAN is compelling. Being able to quickly deploy and provision routers is the new normal. All of the major SD-WAN vendors support automation through the central management portal, enabling the ability to rapidly provision new sites, make changes, fix issues and alert proactively to potential issues and threats.
Call to action
World Wide Technology is leading the enterprise architecture evolution. We partner with the top OEMs to provide cutting edge technology that is expertly matched to your requirements. Our engineering team can design, test and deploy an integrated enterprise architecture that meets the needs of your organization. Integrated security, support for multiple cloud providers, virtualization and automation capabilities are critical components that must be planned for early in the design phase. Enterprises need to have cross functional teams engaged in the design process to ensure a broad view is taken on the design elements to meet potential future business needs.
WWT is committed to helping our customers design flexible, forward-thinking wide area networks that take advantage of the latest technology and solutions. Our design methodology is to work with customers in a workshop to understand the core business requirements and educate how the various OEM vendors in the space can support each requirement. WWT has a wide range of demonstrations and sandbox environments in our Advanced Technology Center that enable you to get hands on experience with the latest SD-WAN technology. Our labs are available for proofs of concept testing to validate which solution best meets your enterprise's needs.