IT Security Refresh: More Practical Tips for a Good Foundation (Part 2)
“WAN” and “Agile” are two words that usually are not found in the same sentence. Provisioning circuits takes quite a bit of time.
Recently, I’ve been intrigued by Equinix Cloud Exchange, ECX. Granted, Megaport has a partially competing offering.
I think of ECX as a global virtual patch panel, providing rapid provisioning of new virtual connections in minutes. Fees are on a monthly basis — no long-term contract.
Up until recently, all it has taken to get started is a presence in Equinix, getting a physical connection from that CoLo space to ECX, and an ECX account. Now, with the just-announced Equinix Network Edge (NE), you no longer need the Equinix physical presence.
You can instead fire up a virtual device (router, SD-WAN device, or firewall) and VPN into it. Within minutes. The virtual device (NFV) comes pre-connected to ECX, so you can then leverage ECX for agile global connectivity. “NE connect” to anywhere else that’s connected to ECX — perhaps Equinix had that word play in mind when they chose the product name.
As far as your organization’s WAN sites, VPN is at present the sole connectivity option into NE. For a new site, you would still have to stand up an Internet connection. For now, anyway.
How does this affect WAN design?
At first glance, you can interconnect your sites with VPN / SD-WAN over the Internet. You can also extend that to your cloud presence, and any physical Equinix (or other CoLo) sites you have. So, what does NE buy you?
One Equinix claim is that they provide high-speed connectivity to a large number of carriers, with competitive pricing, in part because the carriers have massive connectivity into Equinix, and in part because you’re not paying for access circuits from your premises. Equinix ECX also provides rapid provisioning of high-speed low-latency connectivity to CSPs and other Equinix locations.
Network Edge provides you with Internet VPN access to that. So rather than Internet VPN all the way to a CSP or SaaS provider, traffic might go to a nearby Equinix site and then get higher performance connectivity from there.
One design option I’ve already written about (see links below) leverages Equinix Performance Hubs to design a regionally-based WAN. The idea was to deploy regional security stacks controlling Internet and Cloud access.
Now you can do that with virtual equipment, provided you don’t want compute / storage physically at Equinix. If you do have equipment already at Equinix, you might shift it to using a virtual router, firewall, or SD-WAN device instead of a physical one, using ECX to connect your physical switch to NE.
SD-WAN / SD-Branch marketing targets every site being your network edge, which is a competing design approach. Fully distributed security like that is still evolving. Sites may use “Internet breakout” for selected SaaS sites. NE and / or a deeper security stack still might be preferable for general Internet access.
Most sites that are doing SD-WAN are mixing transports: one MPLS circuit, one Internet. Except perhaps for 5-10-person small offices, e.g. sales offices.
NE opens up the possibility of doing regionalized SD-WAN into Equinix sites and using Equinix ECX connections for secure international backbone. This might provide economies of scale as far as pricing, compared to trying to get say global MPLS coverage from one provider. It might also facilitate working with national carriers, e.g. in APAC, rather than with pass-thru from a U.S. based circuit provider. It also avoids doing VPN across the global Internet.
Another area of opportunity is your hybrid cloud approach. What I’ve seen so far tends to be rather “ad hoc”. Organizations get physical connections from one or more datacenters, typically into one of AWS or Azure, then 6 to 12 months later, the other of the two. Office365 performance may then drive getting ExpressRoute for O365 from Azure. Each physical connection takes time to set up, delaying IT modernization projects.
Doing this via NE gets you connectivity where you can add cloud / SaaS connections quickly, assuming the CSP / SaaS provider has ECX connectivity, of course. You can do this within regions and use Equinix’s high-speed low-latency connectivity to tie regions together. The alternative is to use VPN or circuits back to your datacenter(s) to interconnect different CSPs.
Here are some terse use case descriptions.
New markets. If you’re adding offices, especially in a new region or country, you can connect them to a NE virtual device, and use ECX to connect that back to the rest of your WAN.
Interconnect hybrid clouds via Equinix, using their high-speed low-latency connectivity to CSPs (e.g. for data replication). In this case, ECX and NE provide the speed, and you only use the VPN connectivity to manage the devices. You might use this for a couple of months to finish an initial replication, then disconnect since follow-on replication would only send changes, having much lower volume.
Cloud-to-cloud migration is a variant of that. Use Equinix to avoid waiting for a circuit and consuming circuit bandwidth into one of your sites.
SD-WAN Branch to cloud: use SD-WAN to access regional virtual devices, and from there cross high-speed low-latency circuits to cloud. This might use ECX for the cloud connection, rather than running a virtual SD-WAN device directly in the cloud.
Right now, NE gives you one virtual device with virtual Internet and ECX connections. I have heard that Equinix is working on the obvious next step: interconnection of multiple virtual devices within NE (some sort of service chaining or virtual network plumbing). Think router + firewall + load balancer.
The other big thing for some organizations these days is shifting CapEx to OpEx. Equinix Network Edge would be OpEx “for the win”.
There’s one other thing one might wish for: agile options for physical connections into ECX and NE. Imagine being able to rapidly set up an ECX connection from your existing MPLS network / provider!
The Network Edge documentation tells you what you get:
Comments are welcome, both in agreement or constructive disagreement about the above. I enjoy hearing from readers and carrying on deeper discussion via comments. Thanks in advance!
Hashtags: #CiscoChampion #TechFieldDay #TheNetCraftsmenWay #Equinix #NetworkEdge #SDWAN #Cloud
Did you know that NetCraftsmen does network /datacenter / security / collaboration design / design review? Or that we have deep UC&C experts on staff, including @ucguerilla? For more information, contact us at firstname.lastname@example.org.
IT Security Refresh: More Practical Tips for a Good Foundation (Part 2)
New Nexus 9K Items
Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.
Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.
John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services. Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.
He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.