The movement to cloud-based services is advancing rapidly, with more than 50 per cent of CRM applications already Software as a Service-based (SaaS). However, most corporate WANs are still built for the pre-cloud world, focusing mainly on efficient data transmission between branches, headquarters and data centres.
Essentially, the traditional corporate WAN was optimised for transferring information between physical locations owned or rented by the enterprise.
But the world has changed. In examining how the WAN architecture should change along with it, we find inherent trade-offs between centralising and distributing functionality.
With the central approach, all Internet-destined traffic is backhauled through a firewall at a central location. This hub-and-spoke design is straightforward to secure, but the inevitable backhauling is sub-optimal in an environment where cloud services are important (traffic to/from a branch office accessing a relatively nearby SaaS service may traverse a distance data centre).
In many enterprises, cloud applications generate most of traffic, driven by the continued adoption of software and infrastructure-as-a-service (IaaS). In response, enterprises are motivated to consider a fully distributed or direct-to-net architecture.
The direct-to-net approach and the associated complexity means installing a firewall at every branch. So do we need to choose between the direction of fully centralised (backhauled) or fully distributed (direct-to-net)?
The answer, is no.
"If you go with the traditional WAN architecture, the cloud apps will suffer. If you go all Internet VPN architecture, the corporate apps suffer," Gartner's Andrew Lerner points out. In response, many enterprises have turned to a regional hub approach.
But because the network relies exclusively on IP routing, the hubs may direct traffic indiscriminately to either service (SaaS-1 and SaaS-2 in our case) regardless of the likely latency. Despite these potential inefficiencies, the regional hub approach often strikes a good balance and solves many of the problems in creating a cloud-ready WAN.
Moreover, a security-as-a-service solution can provide similar benefits to a regional hub architecture, as secure virtual gateways can separate regional/branch business traffic from Internet traffic, redirecting each traffic type accordingly.
Another regional hub advantage arises in other web services, such as ‘home from work’ mail services or social media. Here, users don’t care about optimising traffic and certainly don’t want to have to log all access to it.
Finally, an SD-WAN architecture moves us closer to being fully cloud-ready by taking any existing corporate WAN (which may be based on MPLS) and optimising it with available broadband links. Recently introduced SD-WAN architecture improves on the regional hub approach by determining the optimal egress hub for each cloud service component, and by determining the best path from each branch to each service hub.
Along with business intent overlays, Silver Peak brings together the capabilities of zero touch provisioning, dynamic path control and dynamically applied latency mitigation and data reduction, to give customers the flexibility to access cloud services as efficiently as in-house applications. The right SD-WAN feature set, perhaps combined with a regional hub architecture, leads to a cloud-ready WAN.
Article by Anthony Sarkis, Regional Director – Australia and New Zealand, Silver Peak