In the last several years we’ve seen a major shift in the data center where organizations are moving to cloud, whether private or public. More and more, customers are leveraging software as a service (SaaS) applications and cloud services from providers such as AWS, Google, Microsoft Azure and others. This, has shifted enterprise data traffic patterns as fewer and fewer apps reside within the walls of corporate data centers.
This major shift in the app consumption model is having a huge impact on organizations and infrastructure. In this recent article “How Amazon Web Services is luring banks to the cloud”, we see that some companies already have completely moved to public cloud. An interesting fact is that while many organizations have stringent regulatory compliance requirements, they still have made the move to cloud. This tells us two things – the maturity of using public cloud services and the trust these organizations have in using public cloud is high. Again, it is all about speed and agility – without compromising performance, security and reliability.
What is the correlation of adopting SD-WAN and moving to the cloud?
As the cloud enables businesses to move faster, an SD-WAN architecture based on business intent is key to ensure success, especially when branch offices are distributed across the globe. Traditional WAN architectures are not designed to support the new consumption model of apps in the most efficient way. This means access to apps residing in the cloud will traverse unnecessary hops resulting in wasted bandwidth, additional cost, and potential higher packet loss and latency. In addition, organizations can’t afford to operate them under the existing, traditional WAN model where management tends to be rigid, complex and network changes can be lengthy, whether setting up new branches or tackling potential issues. This all leads to inefficiencies and a costly operational model. Therefore, businesses will benefit from simplifying their WAN architecture to achieve agility.
The right SD-WAN solution will tackle all the challenges inherent to the traditional model and support the new app consumption model. This means policies are defined based on business intent and intelligently steering traffic based on where the app resides without unnecessary extra hops or security compromises. For example, if the app is hosted somewhere in the cloud, then traffic will be automatically directed to it without backhauling to a POP or HQ data center. Now, in general this traffic is usually going across an internet link which, on its own, may not be secure. However, the right SD-WAN solution will have built-in stateful firewall capabilities for internet breakout, allowing only branch-initiated sessions to enter the branch, and be able to steer traffic to a cloud-based gateway if necessary before forwarding it to its final destination. If the application is moved and becomes hosted by another provider, or perhaps back to a company’s own data center, traffic needs to be intelligently redirected, no matter where the app is sitting.
Let’s look closer at each of these capabilities that will be impacted with apps consumed from public cloud: Intelligent traffic steering, automated performance enhancement and comprehensive security.
- Intelligent traffic steering – This requires insights into both HTTP and HTTPS traffic and being able to identify apps based on the first packet received in order to steer traffic on the right link based on business intent. This is critical because once the TCP connection is NATed with a public IP address, it cannot be switched thus it can’t re-route applications once a connection is established. So the ability to steer traffic based on the first packet – and not second or tenth packet – to the correct destination will assure app SLAs, minimize wasting expensive bandwidth and meet compliance requirements.
silverpeak- Automated performance enhancement – Regardless of which link the traffic ends up traversing based on business intent, an SD-WAN solution must enhance application performance automatically without human intervention when packets are lost or received out of order on the other end or even under high latency conditions that can be related to distance or other issues. Lastly, an overlay tunnel can be created by bonding multiple WAN transport services together to create a single larger, logical connection. Traffic for a single application can be load-shared across the tunnel, delivering even higher application performance.
- Comprehensive security – There needs to be a multi-dimensional approachtoreduce risk. First, isolate applicationsusingbusiness intent policy-driven approach based on virtual WAN services to separate traffic and access. Second, communications between end points can be limited to encrypted tunnel traffic. Third, traffic coming to the branch must be limited only to sessions initiated internally by users, complementedwithbuilt-in stateful firewall to avoid appliance sprawl and higher operational costs. This is referred to as the app whitelist model. Fourth, internet-bound traffic can be service chained to a cloud-based security gateway like Zscaler for layer 7 inspection and analytics. Lastly, security can’t be treated independently from networking. They must complement each other to achieve highest levels of security in the most effective way. This includes capabilities like identifying apps based on first packet and ease of service chaining with third party solutions such as Palo AltoNetworks, Fortinet and Infoblox.
In conclusion, if business is global and depends on cloud as in the case of Dubai-based Aramex, it is imperative to choose an intelligent flexible SD-WAN solution that is based on business intent and can translate that into a high-performance and highly secure WAN. Learn more at silver-peak.com.