Article written by ZK Research founder and principal analyst Zeus Kerravala, on behalf of Silver Peak
The concept and benefits of local internet breakout have been tossed around for decades. Sure, maybe you know someone, who knows someone who talked to network engineer who deployed it once, but that’s about as close as any of us have come to seeing it in a production environment.
Prior to being an analyst, nearly 20 years ago, I ran networks of various sizes and had wanted to do local internet breakout even back then. The benefits are obvious as it optimises network bandwidth and application performance.
Traffic meant for the data centre from a branch should traverse the wide area network (WAN) and sessions that are bound for the cloud should go directly to the internet.
So why has local internet breakout gone mainstream?
Doing local internet breakout with a traditional MPLS hub-and-spoke type of network was overly difficult as the MPLS connections weren’t really designed for split connections. However, the rise of software-defined WANs (SD-WAN) has made this possible as the broadband connections are optimised for direct-to-internet connectivity. Even in hybrid configurations, network professionals can architect the WAN so that on-net traffic uses the MPLS connection and cloud-destined traffic runs over broadband.
One challenge remains with local internet breakout and that’s security. Even if the complexity issues are solved, the security issues are so daunting that it’s unlikely businesses would ever have shifted to that architecture.
Historically, there hasn’t been a cost-effective way of securing local internet connections from every branch office. Businesses would ultimately be faced with buying a firewall for every location. In fact, to ensure resiliency it’s likely that two firewalls would need to be deployed.
In addition to a firewall, it’s likely the company would want to deploy a range of other security devices to mirror the DMZ in the data centre. The cost of doing this with conventional hardware appliances could easy eclipse tens — or even hundreds — of thousands of dollars per site.
Companies are forced to compromise between extraordinary costs or sub-par performance. Fortunately, there are solutions today that enable companies to leverage the benefits of split tunnelling without having to break the bank on security and that comes in the form of virtual services.
The traditional security model was to deploy one function per appliance per site because the service was tightly coupled with the underlying hardware. Virtual services decouple the security functions from the hardware and allow them to be run in a virtual machine on any device. This includes WAN optimisation devices, commodity servers, conventional routers or SD-WAN appliances.
Alternatively, all the traffic could be run through a cloud provider and the security policies provisioned as a cloud service. Conventional thinking is that the security features should be deployed in the branch itself, but if the first hop is always to a cloud provider, then having the security functions one hop away makes no difference.
The virtualisation of security services has many benefits. The most obvious is cost. Virtual security functions typically cost a fraction of a dedicated appliance as there is no custom hardware to buy.
Another benefit is service agility. As an example, consider a business that deploys a hybrid SD-WAN but isn’t ready to implement local internet breakout. After a period of time, network operators become comfortable with this model and seek to test it across a few locations. With traditional security appliances, the hardware platforms would need to be ordered, shipped and an engineer travel to the sit to manually configure each device at each site.
Virtual services can be spun up immediately so the infrastructure requirements are no longer impeding the business. One last benefit is that maintenance and upgrades are easier to do. Because the security functions are software, upgrades can be scheduled and automated across all sites.
The many benefits to local internet breakout range from cost efficiency to significantly improved SaaS performance. Despite the strong value proposition, productions deployments are rare and the complexity of implementation can be overwhelming.
The virtualisation of security functions makes it much easier to deploy whatever security services are required, wherever the company wants. Finally, local internet breakout can become a reality for companies looking to securely and directly connect branch workers to SaaS applications and IaaS instances.