By Archana Kesavan

CIOs and IT executives are constantly challenged with reducing IT spend, increasing service agility, and delivering superior quality of service. Renovating traditional WAN architectures with SD-WAN technologies is a key initiative to meet these corporate objectives. Before jumping on the SD-WAN bandwagon and adopting SaaS services, IT decision makers should familiarize themselves with the intricacies involved with using the Internet as transport and the associated performance implications.

Transitioning to an Internet-centric Enterprise

The high costs associated with a traditional WAN network, meshing branch offices and data centers, stems from procuring carrier-grade MPLS access. Direct Internet access (DIA) or broadband Internet, with its ubiquitous availability, speed of deployment and cost efficiency (in terms of bandwidth-to-cost ratio), presents an attractive option to many enterprises. From just an access perspective, using DIA can sometimes result in 20-30% cost savings. Combined with the increase in SaaS adoption, the Internet is quickly becoming the backbone of enterprise communication. SD-WAN deployments, while still nascent and relatively static, will slowly evolve into choosing between multiple DIA circuits rather than multiple MPLS circuits. Understanding the performance, reliability and security implications of DIA circuits and planning proactively to overcome the challenges are key to a successful transition.

Trusting the Internet

Relying on the Internet as transport for enterprise-grade traffic involves setting the right expectations from the perspective of service delivery. Performance depends not only on the application, but also on the underlying network. Relying completely on the Internet also has some degree of risk associated to it. Partial or complete service disruption is not uncommon when connectivity to an entire region is shut down for political or economic reasons. For example, a few years ago Egypt shut off the Internet creating an “Internet island” affecting traffic going to and from the country. DDoS attacks on critical third-party infrastructure like DNS can also cause service disruption.

In short, plan ahead before trusting a best effort network and services offered by managed providers while making the transition. Baseline the performance of the network and application before launching or accessing a service over the Internet. For example, an active monitoring solution can help baseline connection performance, topology and bandwidth. A flow monitoring solution can provide insights into how the connection is utilized. The Internet is a coalition of ISPs, so choosing the right upstream providers and optimizing BGP routing across multiple providers is critical. If you are considering Internet circuits for your SD-WAN deployment, then choose your primary and secondary ISPs by monitoring for outages and frequent failures. Validate the new architecture before deploying it.

Troubleshooting the Internet

The problem of accountability creeps in when you rely on a network built and managed by multiple service providers. Finger pointing is a common occurrence that can result in increased Mean Time to Repair (MTTR) and Mean Time to Troubleshoot (MTTT). As you start relying on third party vendors, circumvent this situation by maintaining visibility across multiple layers of the service stack and the Internet.

Irrespective of the path selected by SD-WAN, it is important to have end-to-end visibility of the underlay network and application overlay. Invest in a network monitoring platform that can provide visibility into the performance of Internet circuits while maintaining application-level correlation. Consider supplementing your SD-WAN vendor’s view of network measurements to get a reliable and unbiased view of network and application performance.

Is the Internet Secure?

In traditional WAN networks, Internet-bound traffic exits the enterprise through ISP connections from the data center. However locally breaking out traffic from the branch office is becoming commonplace, conceptually creating a highly distributed “mini data center” model. This means extending the security measures in place from the data center all the way to the branch office. Firewall-based protection and intrusion detection mechanisms should be put in place even at branch offices. Although more and more applications idealize and choose to fold security into the L7 stack rather than completely relying on the access, security best practices should still be considered.

Moving to an Internet-driven architecture and adopting SD-WAN technologies is a massive undertaking. Systematically ease into the migration by supplementing your existing WAN with DIA circuits to familiarize yourself with the challenges and intricacies. Benefit from baselining application performance, recalibrating SLA’s and proactively monitoring the new baselines. Shift the equilibrium toward an Internet-centric enterprise, and you’ll reap the cost, performance and management benefits.

Author bio

Archana Kesavan

ThousandEyes

Archana Kesavan is a Product Marketing Manager at ThousandEyes, where she is responsible for product messaging, reporting on the health of the Internet and digging into the causes of outages that impact critical services. Prior to ThousandEyes, Archana was a Product Manger at Cisco Systems and Brocade managing the service provider mobile portfolio. Archana holds a Masters degree in Computer Networking from NC State.