Following a cloud-first strategy is great for IT budgets and business agility but places new demands on the network. Cloud first can significantly impact network operations, as an increasing percentage of traffic flows directly to, from, and between clouds.
Unfortunately, the traditional MPLS architecture simply cannot support the economics or agility required for a cloud-first strategy. MPLS can be costly and time-consuming to configure and requires that Internet-bound traffic be backhauled to a centralized data center for inspection. Backhauling slows performance significantly for branch offices and remote users, who require direct Internet access for their cloud services. Providing direct-to-net access means re-architecting the network with security in mind.
In support of cloud first strategies, many organizations are turning to software-defined WAN (SD-WAN). SD-WAN provides secure local or regional breakouts to the cloud, enabling traffic to flow directly to the Internet from the closest available link. If additional levels of security are needed, SD-WAN technologies can segment and route sensitive data to cloud security providers for further inspection.
First, make the network virtual
The solution sounds simple, virtualizing the network as you have computing and storage and integrating the cloud, data center, WAN, and wired and wireless LAN into a unified fabric. The resulting cloud network has tremendous flexibility and scalability, with consistent policy deployment across the entire set.
If everyone in the organization worked from the same location at the same time, then provisioning networks for a cloud-based world might not be such a big problem – a couple of big pipes to the Internet for backup and load balancing would serve most organizations. However, when dealing with multiple locations, mobile users, and rapidly growing network traffic, that same centralized network architecture creates bottlenecks that drive up costs and compromise performance. By virtualizing the network, administrators can centrally manage traffic flows and their internal and third-party cloud networks more effectively and efficiently.
Second, automate network management and orchestration
Re-architecting the network could be done with manual configuration changes on the routers or custom scripts, as long as the set of cloud services is stable, workloads always execute from the same locations, and users do not change locations. Of course, none of these conditions are realistic, and MPLS provisioning can take months to add capacity or connect new locations. An effective SD-WAN must deliver the necessary business agility to get the maximum benefit from cloud services.
SD-WAN supports cloud first strategies by intelligently routing traffic based on business policies. Users can automatically connect to the cloud or between cloud services across the best available linkand removes the manual configuration headache from network administrators. Policies – not manual scripting – define which traffic is routed over which path based on business needs, security requirements, and current network health. Traffic can be appropriately segmented, such as voice data over MPLS and SaaS applications over broadband. Best of all, traffic flows more evenly across the entire organization’s network, reducing bottlenecks and improving application delivery.
Third, deliver security in the cloud
All of the benefits of cloud services and software-defined WANs are of little consolation if there is a security breach. Manually replicating and maintaining security appliances across tens or hundreds of locations is just not feasible. Instead, SD-WAN enables organizations to leverage cloud security providers, selectively directing traffic flows to the appropriate security service while providing embedded security such as firewalls, VPNs, and user segmentation.
For example, an engineering services company uses a variety of online apps, such as Box and Office 365, along with their cloud services. Since these applications involve mostly smaller but still confidential files, they choose to direct all of the related SaaS traffic back to the data center for inspection.
However, their engineering tools, which generate very large files, run on a cloud service so that they are accessible to authorized employees and partners around the world. Running this traffic through central security causes too many performance issues and drives up connectivity costs, so instead they route the traffic to a cloud access security broker (CASB), such as Zscaler.
With just a few clicks, the CASB provides worldwide access control, malware detection, and inline data protection. The CASB scales and distributes the load as needed to handle the large data requirements. Traffic is secured in an IPSec tunnel, and InfoSec policies are enforced with integrated functions such as data loss prevention (DLP).
Cloud first needs cloud networking
At the end of the day, cloud-first strategies are designed to provide the best possible user experience. The network is of limited value if the user experience is poor or inconsistent. Effective SD-WAN tools provide deep visibility into application performance, network flows, congested areas, and which users and devices are connected to the network, enabling IT to effectively deploy and manage their applications and the underlying infrastructure.
As cloud computing continues to grow and evolve, the majority of organizations will adopt cloud-first strategies. Whether using leading IaaS offerings such as AWS and Azure, or something from the vast set of SaaS applications, software-defined WANs are essential to corporate agility and security. Optimizing applications by rapidly establishing and tearing down connections, simply cannot be done without centralized network management and orchestration. Cloud first needs cloud networking.