Internet Breakout and SD-WAN

Internet Breakout is a term that refers to local/private traffic within an organization that is destined for the public Internet. Traditionally, many large organizations with a large geographic footprint (national or international presence, multiple branch sites widely separated, etc.) have used an MPLS backbone to handle all corporate traffic within their organization. All traffic is routed through the data center, and a uniform security profile is implemented at the data center for all ingress and egress traffic. Obviously this simplifies enforcing strict and uniform security policies across all corporate locations. However it also is highly inefficient in terms of managing traffic on the corporate WAN and LAN, since all traffic, including the traffic that is destined for the public Internet, must be pulled into the data center and processed.

This method of traffic management,  particularly for public Internet traffic, made a lot of sense over the past decades, where hub-and spoke network topology coupled with proprietary MPLS and private circuits was the most efficient and secure way for a large organization to handle Internet traffic flow. But the explosion of affordable, high bandwidth connectivity and SD-WAN over the last decade has transformed the landscape considerably.

Cloud services and service-chaining has also fundamentally changed corporate traffic patterns. Offerings include Software-as-a-Service (SaaS), Security-as-a-Service (SECaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Desktop-as-a-Service (DaaS), or, to encompass all these and others, the well-named Everything-as-a-Service (XaaS). All these cloud services reside on the public Internet, so pulling all this traffic (and all other public Internet bound traffic) into the corporate network before it exits to the Internet is inefficient and may result in unnecessary delays and reduced overall network performance.

SD-WAN Greatly Facilitates Internet Breakout

In a modern SD-WAN network, multiple broadband sources, including wired, wireless, MPLS, T1, DSL, and even satellite, are aggregated and orchestrated by the SD-WAN devices and related SD-WAN controllers, cloud relays and gateways.

For many small and medium-sized enterprises, their SD-WAN network is totally comprised of multiple local ISPs aggregated together. This takes advantage of the relatively cheap, reliable, and high-bandwidth connectivity available to the general public today.

But regardless of the underlying broadband connectivities, by its nature SD-WAN is set up to optimize network performance by intelligently aggregating these broadband sources and applying QoS (Quality of Service) and traffic shaping.

So a typical enterprise would have numerous virtual interfaces defined by the SD-WAN environment. The virtual interfaces overlay the physical ports and allow for logically grouping desired interfaces together, thus creating a virtual interface. The two endpoints of these virtual interfaces form the overlay IP tunnel, similar to a supercharged VPN, with advanced algorithms ensuring optimal traffic management within the tunnel for a given traffic type. Imagine a large corporation that still relies on a hub-and-spoke topology and multiple broadband sources. One virtual interface might be setup to handle inter-office communications, another might handle office-to-office traffic, and a third interface might handle business critical traffic between several branch offices and a main data center or central, head office.

Within the SD-WAN environment one or more interfaces can be exclusively dedicated to public Internet bound traffic, reducing computational load and bandwidth consumption on network resources. In practice, this should be straightforward to do. Simply specify the traffic using a wide range of options, such as source/destination IP address, source/destinations ports, protocol and others or from built-in layer7 filters. Once the traffic has been identified, the SD-WAN orchestrator would assign it to a specific interface such as an ethernet port (e.g. ETH1) or to a virtual interface. Assuming that this interface is connected to the public Internet via a local ISP, you have now created your Internet Breakout capability.

Advantages and Disadvantages of Internet Breakout

We’ve touched on some advantages of breaking out some of your public Internet bound traffic, but let’s go into a little more detail.

Some of the advantages of internet breakout include:

• Less burden on the overlay tunnel – removing the public Internet traffic from the overlay tunnel frees up resources in terms of both bandwidth and processing capabilities, allowing the tunnel to focus on the more important company traffic and optimizing specified applications.
• Potentially lower cost if the SD-WAN overlay tunnel is usage based.
• Potentially lower latency, if the internet breakout point and destination are located close to each other geographically.

Some disadvantages of internet breakout include:

• Non-optimized traffic management, since the breakout traffic can no longer take advantage of the performance and reliability features of the overlay tunnel. Presumably, this is acceptable since by definition the traffic we chose to breakout is non critical.
• Elastic, static IP addresses cannot be used with the breakout traffic since the cloud relay is responsible for implementing this feature.
• And perhaps the biggest and most obvious disadvantage is that any cloud-based security features being used by the overlay tunnels will not be available for the breakout traffic. Securing the traffic with physical devices, or using a dedicated cloud-based security service may be required to implement standard security features, including Next-Gen Firewall (NGFW), intrusion detection and prevention (IDS/IPS), antivirus/malware/DoS/DDoS protection, URL filtering, and others.

The Choice is Yours with SD-WAN

Whether or not you choose to breakout some of your public Internet bound traffic depends on many factors specific to your organization. It may or may not be beneficial, required, or desired depending on your network internals and your connectivity profile. Available bandwidth, complexity and priority of traffic, required latency profiles for real-time application such as VoIP and live video streaming, impact of dropped or lost packets, and other factors all determine if internet breakout makes sense for your organization.

But with a modern SD-WAN orchestrator controlling your corporate network, setting up internet breakout becomes trivial – a few configuration options on your SD-WAN GUI is all you need to create highly customized and efficient internet breakout points if you decide to.

Rob Stone, Mushroom Networks, Inc. 

Mushroom Networks is the provider of Broadband Bonding appliances that put your networks on auto-pilot. Application flows are intelligently routed around network problems such as latency, jitter and packet loss. Network problems are solved even before you can notice.

https://www.mushroomnetworks.com