This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
To state the obvious, enterprises are moving their applications to the cloud, and this movement is happening at an accelerating pace. Many technology chiefs are working under a “cloud-first policy,” which means that if an application can be deployed as a service, then that should be the first choice for the way to go.
While the applications themselves are moving to the cloud, the application delivery infrastructure is still stuck in the enterprise data center. Under the existing network architecture that most enterprises still have today, all traffic comes back to the enterprise data center before going out to the cloud. The on-premises data center is where the switching and routing, security, and application delivery controllers reside. This infrastructure is architected for a bygone era when applications were all in the data center.
I talked with Mark Casey, president and CEO of Apcela, to get his perspective on what enterprises can do to increase the security and performance of their hybrid IT environments.
“I would venture to say that most enterprises are wrestling with the challenges of their hybrid IT environments today,” says Casey. “Everyone has cloud applications, but their WAN just isn’t built to accommodate them efficiently.” He offers up the following example to illustrate the problem.
Let’s say a company has its headquarters and its data center in Chicago and a regional office in Los Angeles. The LA workers need to access a SaaS application that physically resides in a cloud data center in Silicon Valley. The way the network is architected today, the people in the Los Angeles office are connected to their corporate data center via an MPLS network. The traffic comes from Los Angeles back to the data center in Chicago where it can go through the firewall and then out to the public internet to access the SaaS application in a data center in San Francisco. Instead of the traffic going directly to the public internet, or better yet directly to the application from Los Angeles to San Francisco, it’s going from Los Angeles to Chicago over a private network, and then back out over the public Internet from Chicago to San Francisco.
Obviously, this is very inefficient and the traffic movement impacts both the bandwidth and the application performance. The reason for the performance issue is the need to go through the security at the enterprise firewall. “This scenario is extremely common today, and the problem is magnified when there are numerous branch locations that must backhaul their traffic through the enterprise data center before sending it to the cloud,” says Casey.
He says that enterprises usually fall into one of two camps. One is where they have a centralized DMZ, like the example above, where all the security is in the data center and all traffic goes through there before going out to the public Internet. Alternatively, they run a fully distributed environment where there is a firewall at every branch location. The latter scenario gets quite complicated and expensive when there are hundreds or thousands of locations, like a bank or a retailer would have.
Neither of these architectures works well for a hybrid IT environment. A new approach is needed to improve both security and performance.
“Today the application infrastructure is in the data center,” says Casey. “We need to get it out of the data center and closer to the applications and the users. We are moving away from this paradigm of a centralized IT model and shifting the architecture to put more of a focus on the edge. We need an architecture that bridges the hybrid IT environment from on-premises data centers to cloud data centers, inclusive of SaaS and IaaS. The basic premise is to distribute application hubs in a high-performance core.”
The recipe for a more cloud-ready architecture is to build a core network anchored on carrier neutral commercial data centers, and then connect those data centers with 1G to 10G links, depending on bandwidth requirements. “When we talk about a high-performance core, we are talking about putting network nodes in a number of distributed commercial data centers and connecting those with high-capacity, low latency links,” says Casey. “That high-performance core then interconnects to the network edge, which can be the enterprise locations themselves, such as branches, manufacturing facilities, regional headquarters, data centers, and so on. This core also interconnects with the cloud, connecting to the public Internet, or directly peering with cloud data centers.”
The architecture of this model is shown in Figure 1.
On the orange ring in the illustration are the commercial data centers; companies like Equinix, for example. These data centers can be located all around the world, and they form the high-performance core of the new architecture. Everything gateways through these data centers, either to the cloud or to enterprise locations.
Hanging off the ring are the enterprise locations, connected via Ethernet private lines or broadband IP. On top of this, an SD-WAN overlay enables a secure encrypted tunnel over the public internet back to the commercial data centers. “SD-WAN just makes it easier to manage these edge locations into the core, and location to location,” says Casey. “You could deploy VPNs, but they are too complicated. SD-WAN gives you a lot of capabilities and facilitates rapid failover if there’s ever a problem with a connection.”
A full security stack can now be deployed to these commercial data centers, which Apcela calls application hubs, or AppHUBs. “By distributing security and moving it out of the enterprise data center into these distributed nodes, now a branch office simply goes to the nearest AppHUB to clear security there, and from there it can go to the Internet or to whatever SaaS applications these branches need to use, rather than having to go all the way back through the enterprise data center before they get out to the cloud,” says Casey.
A security stack can include a firewall, secure web gateway, email gateway—basically anything that protects a company’s users from the Internet, according to Casey.
For an enterprise, this new architecture essentially puts the cloud data centers on its network, or at least it enables close peering with them. This platform is better positioned to manage a hybrid IT environment, where parts of the applications are in an on-premises data center, and other parts are in the cloud.
Apcela has built this type of network on a global scale. Enterprises can leverage the Apcela WAN with a fully distributed security service to improve the security and performance of their hybrid applications without having to integrate anything themselves.