Our customers’ businesses have for many years run on MPLS-based VPN networks, configured in a hub and spoke topology with their internet access provided centrally via their data centres which are heavily stacked with firewalls and policy controllers.
But increasingly, their needs are changing.
We’re seeing a consolidation of data centres and a move to third party data centres. There’s a move to running workloads in virtual hosting provided by the hyper-scale players like Azure and AWS, as well as to run cloud-provided apps such as Office 365. And don’t forget people. Employees are increasingly accessing these services from company provided or BYO mobile devices, not over the LAN.
That means that traffic patterns are changing. There’s an increasing need to access the internet directly, and the applications being used are becoming less dependent on network performance to provide a good end-user experience.
SD-WAN can re-create the secure VPNs our customers currently enjoy over the internet as a transport mechanism. Using intelligent path selection and application prioritisation they can also address end-user performance issues.
Multiple vendors provide SD-WAN solutions from edge devices or network-hosted devices which can be deployed and manged by the customers themselves, or as a managed service from various Service Providers.
To exploit these technologies and address their changing needs customers must choose a route to benefit and a required speed of action – evolution or revolution of network change which best meets their digital transformation agenda and appetite for risk.
In all the excitement about SD-WAN, the underlay network is often forgotten. But getting it right is vital.
Typically, customers just see two types of internet options being available to them – direct or dedicated internet access (DIA) or consumer grade broadband.
But it’s much more granular than that, which means that customers are risking picking the wrong options, or not specifying sufficient detail in their RFPs, and hence their SD-WAN implementations failing to deliver the benefits they hoped.
First of all, you need to make sure internet is the right option for you, based on a balance of cost, price, reach and security. It’s worth noting that MPLS is far from dead, despite the sensational headlines. Private networks – in the form of MPLS, Ethernet or optical – still have a role to play, because of their added security and more predictable performance. In fact our global MPLS port volumes are growing as more customers want higher-speed ports on a global basis.
If internet is the best choice, we’ve defined five “grades” based on a number of quality of service attributes, such as availability, SLA, contention ratio and resiliency and engage with our customers around these grades of internet to make sure our solutions match their price /performance requirements.
That means we can have a more informed conversation with the customer about their real requirements, where they understand what they are getting with no nasty surprises, for example if something goes wrong and the fix times aren’t as expected or they don’t have the expected bandwidth they needed at peak times because it’s a shared service.
The reality is that it is complex, with a lot of things to think about. One of the most important is the underlay, and deciding where to go for internet, MPLS or a hybrid approach. But you also need to consider how you’re going to break out on to the internet, locally or centrally.
Whilst an MPLS-based network is inherently secure, introducing local internet breakouts moves the secure edge of the network from a small number of central locations to a large number of geographically dispersed locations, increasing your access points from three or four in a few key locations to 300-400 around the globe. This increases your security risks and drives a move away from perimeter security, which aims to keep bad actors out, to one of identity and role based security where you limit the damage that could be done when a bad actor gets in. To reduce the risk means introducing at the very least access control lists (ACLs) on sites limited to initiating outbound traffic only, and next generation firewalls at every site where inbound access would be required. This is a cost and consideration not previously required in the hub and spoke topology, and drives a new debate between the network architects with supporting Network Operating Centre (NOC), and the security architects with supporting Security Operations Centre (SOC).
Every enterprise deployment is unique, but often SD-WAN in itself doesn’t save you money, the money is saved by transforming your underlay, and in simplicity of router configuration management if you do this yourself (many use a service provider).
The savings you can make in the underlay vary depending on where you are in the world, and what site-type you have at that location. Gartner’s 2018 report: Fact or Fiction: Does SD-WAN Really Save You Money? is useful in helping you plan your SD-WAN implementation. Many of our customers see such implementations as obvious in their North American locations, where there is a significant cost difference between MPLS and good quality internet, whilst the European and Asian parts of the same business are struggling more with the business case as cost savings need to be driven by a move to broadband.
Catch Keith on the panel discussion on The Longest Mile - selecting and sourcing the underlay network, 17 October 2018, at the WAN Summit, London.
Find out more about how you can consolidate and optimise your IT.
Gartner, Fact or Fiction: Does SD-WAN Really Save You Money?, Ted Corbett, Andrew Lerner, Mike Toussaint, 27 February 2018.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.