Toto, We're Not on the WAN Anymore
The growing shift of applications to the cloud means that more network traffic is moving over the Internet rather than over the predictably stable MPLS WAN. At the same time, costs of traditional WAN architectures are pushing more enterprises to adopt direct Internet access, either exclusively or as part of a hybrid design. MPLS may not go away overnight, particularly for legacy and latency-sensitive applications, but the traditional WAN will only get smaller as the Internet takes on a higher proportion of enterprise traffic.
As enterprise make the move, network teams and budget decision makers often see software-defined WAN (SD-WAN) technology as a magic wand that makes availability, performance, and other issues of moving to direct Internet access go away. Because SD-WAN leverages traffic visibility and performance metrics to route traffic optimally, a common misconception is that it can "see all and control all," saving enterprises from the Internet's inherent unpredictability. But while SD-WAN provides greater reliability, agility, and more efficient resource utilization to enterprises that have found MPLS to be expensive and inflexible, it's certainly not a panacea for your application and network performance ills. Even with a dedicated circuit and SLAs, once your traffic hits your ISP's backbone, it's on shared infrastructure and subject to the same complex set of dependencies and best-effort service of all Internet transit. SD-WAN or no SD-WAN, achieving steady state on the Internet simply isn't possible.
The interaction between a branch office and a SaaS data center can include dependencies on multiple ISP networks, a secure Web gateway (SWG) provider, possibly a content delivery network (CDN) provider, a third-party authentication provider, plus Domain Name System services. Not only are these elements externally operated, but they are also subject to change depending on many factors, including route adjustments, network congestion, changing of service providers (e.g., CDN provider), a faulty cable, a DDoS attack, and the list goes on.
SaaS application performance isn't a uniform experience -- it's highly dependent on elements that may be specific to different users in different locations. Employees in Dallas and New York may have very different experiences because those branch offices rely on different delivery paths -- likely transiting through different ISPs, hitting different CDN servers, or connecting to different SaaS data centers.
SD-WAN solutions don't see the Internet and all those external service dependencies, and certainly don't control them. Nonetheless, whether or not you own the networks or services that support delivery of your critical applications, you still own the user experience. You'll still get a call when employees aren't able to access essential SaaS applications that impact productivity and core business function.
Now that the Internet has effectively become part of IT's responsibility -- if not officially, at least in practice -- enterprises need to shift their visibility to the external dependencies that are effectively an extension of their own IT infrastructure. To gain a handle on what's happening on the Internet, you need to know the nature of the problem and the ISP or service provider responsible. You need complete visibility across the entire application delivery chain, from DNS resolution to SWG to cloud or SaaS provider.
Here are five key factors enterprise IT teams need to grapple with to take the risk out of cloud migration and master the realities of Internet-centric communications:
- Monitoring from every user perspective, remembering that "users" may be employees in branch offices or working remotely, but could also be applications making calls to external APIs and services
- Understanding the constellations of dependencies, such as ISP, DNS, CDN, security providers, and SaaS
- Moving toward giving internal clients self-service views into what they care about -- their applications -- and insight into underlying network conditions
- Sharing application and network performance data for effective provider escalation processes and sound cloud governance
- Understanding the effect of location, since global users and offices can experience high levels of performance variability when interacting with cloud and SaaS applications
All of these factors require a different approach to monitoring than the one used inside the "four walls" of your data center or branch offices. Within your environment, a variety of tools are available to monitor network and application performance, including SNMP, packet capture, and flow-based analytics tools. Unfortunately, none of these tools can access infrastructure you don't control, and therefore they can't see into the federation of networks and services that make up the Internet.
As more traffic shifts externally, and internal, passive monitoring tools look at a smaller portion of overall communications, enterprises need to start thinking about getting proportional visibility for the external dependencies that they rely on for business continuity. It's easy for enterprises to get into a mindset that they're powerless to address performance issues that are caused by networks and services they don't own. But the fact is that once you have external visibility, you can gain control of your application delivery experience by fostering a transparent, collaborative relationship with service providers. Achieving this control requires a change in monitoring paradigm from passive to proactive and from "find and fix" only to "evidence and escalation" -- as in, get evidence of the issue and escalate to the right party -- when it's outside your management domain.
Understanding the value and limitations of SD-WAN and creating a balanced monitoring portfolio that includes visibility for external environments will be the difference between enterprises that can master Internet-centric communication and those that are at its mercy. Mastering application delivery over the Internet must become a core competency for enterprise IT because, let's face it, we're not on the WAN anymore. And, unlike Dorothy, there's no going back.