A few years back, a field office might have had dual MPLS circuits, maybe even from different providers. But dual MPLS circuits offer a false promise of redundancy – the last mile of both circuits ride over the same Incumbent Local Exchange provider (ILEC) and share the same fate (misplaced backhoe, problems in central office, etc.). In illustration below, one MPLS circuit is primary for business traffic and the other for Internet traffic.
As Internet usage grew over time, the expense and limitations of backhauling Internet traffic over MPLS became unsustainable. Business-class broadband at the Field Office controlled by local firewall was both scalable and cost effective. The alternative of an Internet gateway and security services within the MPLS cloud itself cannot solve the cost and scalability issues. In the illustration below, Internet access is local with exceptions for third-party Internet applications that might be locked to source IP ranges within enterprise data center. One of key benefits is remote survivability – even with issues at the enterprise data center, Internet-based services are still accessible.
True resiliency requires network paths based on different technology stacks. For simplicity, the illustration below uses network products like the Juniper SRX or some SD WAN vendors combine both security and traffic routing in the same appliance. IPsec VPNs provide alternative or backup paths for application traffic. Dedicated circuits, Internet broadband, and cellular data rarely have any infrastructure in common, especially if there are different service providers for each path. Only two paths are necessary for resiliency, but having cellular data capabilities can be useful for business continuity or field office relocations.
Between Field Office clients and the routers and firewalls, there might be WAN optimization appliances that cache locally or optimize chatty applications. Software Defined WAN products handle path selection dynamically, and perhaps run virtual routers or firewalls as well. Likewise, some routers or security platforms might have WAN optimization or caching capabilities.
If the VoIP client used by the enterprise is built to run over the Internet, redundant Internet services could be deployed and MPLS eliminated. Consistency of Internet service can vary greatly but there are ways when selecting Internet services to improve the situation:
- Always select business-class broadband which is prioritized over residential and provides better SLA and support arrangements. More recent developments with DOCSIS 3.1 and fiber rollouts promise even greater speeds and potentially symmetrical bandwidth.
- Prefer dedicated Internet service over broadband. Many Tier 2 service providers like TW Telecom (since acquired by Level 3), XO Communications, or Cogent have provisioned fiber to thousands of office buildings.
- Plan the path back. Cable companies will honor QoS markings (business class vs. residential) when they peer with each other. Provision the routers at the hub with all the types of Internet service used for the Field Offices: Cable Broadband, Tier 2 providers, DSL/U-verse/FIOS/LTE from Verizon/AT&T, etc. The key to provision the end-to-end path with the same provider wherever possible. This becomes much simpler to achieve in the final illustration below.
Licensing for appliances for each office whether physical or virtual is expensive. There are often economies of scale if we could consolidate traffic into higher capacity models. What if the field offices in each region could share services like WAN optimization, security (firewall, Intrusion Prevention, URL filtering, etc.) or unified communications? The next illustration show the US map of Equinix locations – imagine deploying routers to the set of locations that makes sense for geographical distribution of your organization. If using the public cloud or colocations facilities, most enterprises are already connected to two or three locations so the backhaul to the enterprise data center is a sunk cost. And there are multiple ways of connecting hubs together so that traffic between regions does not have to go all the way back to the enterprise data center (but that is a future blog post).
Cloud hubs like Equinix are also Internet peering points. Every Internet service provider in that region will have their routers already on-premise. There are no local access charges or four-week lead-time for provisioning a circuit, just a couple of days and a couple of hundred dollars a month for the cross connect. Cloud hubs are also Ethernet peering locations l if Metro-Ethernet is a consideration for larger Field Offices. Content Distribution Networks, DDoS, and many service providers also have equipment within the Cloud Hub. You can even pass the traffic through firewalls located in the Cloud Hub if required. These geographically dispersed colocation facilities can also be used for out of region tape backup, regional hubs for branch offices, or remotely located managed private clouds. Cloud hubs can become the backbone of a multi-region business continuity plan, perhaps with their own Active Directory servers, VPN Concentrators, etc. When the enterprise has moved some those functions to the cloud, the hub is still the integration point between offices, clouds, and data centers.