Hybrid WANs that employ a combination of technologies - such as MPLS and Internet connectivity - have become increasingly popular as enterprise customers and service providers embrace the software-defined WAN.
What is really driving the move to the hybrid WAN?
And what advice do those who have adopted the technology have for those planning a similar transition?
A panel discussion at the WAN Summit in New York this April focused on just this, drawing from the experiences of end users, service providers, and manufacturers.
Cost savings are often the original reason that enterprise customers look at hybrid networks and SD-WAN, but security and improvements of end-to-end performance are some of the key drivers of hybrid network adoption cited at the Summit.
The desire to reduce network spend is often the topic that opens the door to migrating to a hybrid WAN, but it's not always the driver for adopting the solution.
This can be surprising, especially considering the differences in connectivity costs. According to Viptela’s Ramesh Prabagaran, the cost of an IP broadband connection typically runs about $2.00 per Mbps per month – about 1% of the typical $200 per-Mbps monthly cost of an MPLS connection.
Potential cost savings will “get the discussion going . . . it opens doors,” observed Carl Flaherty of De Lage Landen (DLL), a global financial services organization that has adopted a hybrid WAN approach.
DLL took its first step toward a hybrid WAN to solve an isolated problem. The company was opening a branch office in the relatively remote community of Moberly, Missouri. As Flaherty recalled, management told him, “It needs to be up yesterday.”
After Flaherty and his team deployed a site-to-site VPN to address the need for quick, secure connectivity, management asked, “Why aren’t we doing that everywhere?”
For DLL and other enterprises, hybrid WAN deployments, that move even a portion of an organization’s traffic from a dedicated MPLS connection to an Internet connection raise security issues that must be addressed.
As Steve Woo of SD-WAN technology provider Velocloud explained, when enterprises allow direct Internet access from every branch site, organizations end up with a “big attack surface" that can also prove costly.
According to Woo, the way to address this is with what he called “security in the middle – not at the branch, but not all the way back to the data center.”
Rather than traditional centralized security where traffic is backhauled to a single data center, he cited the use of regional data or security centers. This has been difficult to orchestrate in the past due to managing the service chaining of Internet traffic to multiple sites.
However, SD-WAN makes this process less complex, focusing on policy based routing rather than a device by device solution, thus a more viable option for organizing "security in the middle."
Security concerns can also be organizational, rather than just technological, noted Flaherty.
“Sometimes you have to manage relationships outside the technology box,” he commented. For example, he advised IT personnel to “forge internal relationships with governance” and meet with those stakeholders regularly to discuss technologies under consideration.
Traditionally, Flaherty would get “four words into” a conversation about the Internet and his governance contacts’ eyes “would glaze over” because they wouldn't consider moving corporate traffic to the Internet. Flaherty focused on education to assuage their fears, explaining how much corporate traffic already went over the Internet without creating any major concerns.
“Sometimes you have to manage relationships outside the technology box.”
Scott Cressman of cloud-based security provider ThousandEyes offered another take on the topic of hybrid WAN security: “It’s a mistake to think of security only in a network context,” he said. “It has to a holistic approach” that is also “application and data-centric.”
He noted, for example, that some end-user organizations are taking an approach that assumes a machine will be on an unprotected network, relying instead on security delivered from the cloud.
The importance of a holistic approach was not only applied to security, but was a common theme as the panel discussed another important concern involving the hybrid WAN: performance assurance.
Organizations will not be comfortable moving to a hybrid WAN approach unless they receive assurances that performance will be as good as what they were getting previously from an MPLS-centric network.
Panelists agreed that performance needed to not only be assessed at the network level, but also at the application level.
“Everybody has a network performance management platform” but “don’t forget about the application,” advised Flaherty. He noted that it’s common for end users within an organization to point to performance reports of the Oracle software on which they rely, which differ substantially from IT reports about the performance of the network on which the Oracle software actually runs.
Any organization adopting a hybrid WAN should “make sure application performance is baselined” before undertaking the migration, Flaherty advised.
While it is important for IT personnel to be prepared to ensure the same level of performance when moving to a hybrid WAN, they may encounter some pleasant surprises in terms of performance improvement.
Alastair Johnson of SD-WAN technology developer Nuage Networks noted that organizations may find latency improves with a hybrid WAN approach because traffic could have shorter distances to travel.
He pointed to the example of a company that achieved 25-millisecond latency between the U.S. and Australia over an Internet link – a big improvement over previous architecture, which routed traffic over multi-hop dedicated connections.
When it comes to lessons learned, some themes from the hybrid WAN panel: