Postcards from the network edge

I was recently invited to participate on a panel at a major IT conference, where questions from the audience provided an interesting window into the top issues that networking professionals are dealing with as part of their organizations’ digital transformation.

Every enterprise, it seems, is planning a cloud strategy.  On closer inspection, most are already using the cloud in the form SaaS ERP and CRM applications like Salesforce, NetSuite, etc. These applications have performed well enough on top of traditional, legacy networks.

However, newer, more multi-dimensional cloud applications are forcing businesses to look for ways to make their networks more agile. One of these is Microsoft Office 365.  Microsoft is aggressively investing in their infrastructure to provide a superior experience for users. Nevertheless, the enterprise network, and more specifically the wide area network (WAN), remains one of the biggest impediments to providing an on-premise caliber quality of experience for cloud applications. Finding the most efficient exit to Office 365 and best performance server are usually the culprits.

This was a top concern among attendees.

That’s because DNS resolution does not usually provide the most optimal path to a cloud application, but rather the closest service address from the resolver. In many cases, a client device will connect to a server on the wrong coast especially if traffic is being backhauled to the corporate data center.

Meanwhile, Direct Internet Access (DIA) can sometimes help with optimal path selection to a cloud application, but this is not always the case due to BGP routing in the Internet.

In addition, DIA is not an option in certain industries. For example, retail businesses are comfortable using DIA at every location to provide Guest WiFi, but financial institutions are not. They prefer to set-up regional locations that are easier to monitor for security and compliance.  

Using regional exits will provide the closest on ramp to the Internet and most efficient path for DNS resolution. For the moment, let’s leave aside the fact that DNS uses anycast for connectivity and that BGP is not the most efficient protocol for anycast advertisement. That is a topic for another post. Nevertheless, some technique should be implemented to measure the latency to the actual server that the client will be establishing a connection with.

Another hot topic in networking discussions centered on cloud bursting, and development and testing (dev and test) which involve both IaaS (Infrastructure as Service) and PaaS (Platform as a Service).  

Security for IaaS and PaaS was on many people’s minds. Primarily because IaaS is often used for bursting and in most cases extends (often sensitive) corporate applications to the cloud. Most legacy enterprise applications were developed to be inside a secure data center, so the cloud breaks this security model. When part of a corporate network is extended to the public cloud, affected applications may lack the security controls necessary to satisfy regulatory compliance requirements in many industries.

Network infrastructure is expected to provide appropriate security mechanisms; including for any part of the network that is extended into the public cloud.

In traditional network architectures, enterprises achieve this by backhauling their traffic through a centralized DMZ that is considered part of the data center. This involves using techniques to provide data center interconnect between the cloud and data center. Clients, meanwhile, are not aware of the cloud location that is being used for bursting. This approach usually results in a degraded user experience.

One alternative is to use a secure network virtual router in the cloud. Instead of backhauling branch and remote site traffic to the data center, the cloud itself can become part of the corporate network, complete with the required security controls.  Using this model, the cloud infrastructure would be no different than any other branch location. It would simply require the device be properly authenticated, and encryption be used to protect the integrity and confidentially to data in transit.

By setting up proper security rather than backhauling to the central DMZ, traffic can always take the most optimal path to the cloud infrastructure. For example, instead of backhauling San Jose traffic through a DMZ in Dallas to access AWS in Portland, making the public cloud an extension of the corporate network can seamlessly connect remote sites to the closest cloud provider access points.

For PaaS, this connectivity model becomes even more interesting since it is often used for dev and test. In most cases only a select number of sites and individuals require access to these environments. To ensure only authorized users can access these applications and virtual infrastructure, both secure connectivity and segmentation are required.  

Clearly, cloud transformation, and more specifically the ability to connect applications to users regardless of their location, was top of mind for network architects at the conference. Making this vision a reality requires a very agile WAN. It involves transitioning from fixed topologies that enterprises are accustomed to, and moving to a dynamic network with arbitrary, secure and on demand access points.