“WAN” and “Agile” are two words that usually are not found in the same sentence. Provisioning circuits takes quite a bit of time.
Recently, I’ve been intrigued by Equinix Cloud Exchange, ECX. Granted, Megaport has a partially competing offering.
I think of ECX as a global virtual patch panel, providing rapid provisioning of new virtual connections in minutes. Fees are on a monthly basis — no long-term contract.
Up until recently, all it has taken to get started is a presence in Equinix, getting a physical connection from that CoLo space to ECX, and an ECX account. Now, with the just-announced Equinix Network Edge (NE), you no longer need the Equinix physical presence.
You can instead fire up a virtual device (router, SD-WAN device, or firewall) and VPN into it. Within minutes. The virtual device (NFV) comes pre-connected to ECX, so you can then leverage ECX for agile global connectivity. “NE connect” to anywhere else that’s connected to ECX — perhaps Equinix had that word play in mind when they chose the product name.
As far as your organization’s WAN sites, VPN is at present the sole connectivity option into NE. For a new site, you would still have to stand up an Internet connection. For now, anyway.
Designing with Network Edge
How does this affect WAN design?
At first glance, you can interconnect your sites with VPN / SD-WAN over the Internet. You can also extend that to your cloud presence, and any physical Equinix (or other CoLo) sites you have. So, what does NE buy you?
One Equinix claim is that they provide high-speed connectivity to a large number of carriers, with competitive pricing, in part because the carriers have massive connectivity into Equinix, and in part because you’re not paying for access circuits from your premises. Equinix ECX also provides rapid provisioning of high-speed low-latency connectivity to CSPs and other Equinix locations.
Network Edge provides you with Internet VPN access to that. So rather than Internet VPN all the way to a CSP or SaaS provider, traffic might go to a nearby Equinix site and then get higher performance connectivity from there.
One design option I’ve already written about (see links below) leverages Equinix Performance Hubs to design a regionally-based WAN. The idea was to deploy regional security stacks controlling Internet and Cloud access.
Now you can do that with virtual equipment, provided you don’t want compute / storage physically at Equinix. If you do have equipment already at Equinix, you might shift it to using a virtual router, firewall, or SD-WAN device instead of a physical one, using ECX to connect your physical switch to NE.
SD-WAN / SD-Branch marketing targets every site being your network edge, which is a competing design approach. Fully distributed security like that is still evolving. Sites may use “Internet breakout” for selected SaaS sites. NE and / or a deeper security stack still might be preferable for general Internet access.
Most sites that are doing SD-WAN are mixing transports: one MPLS circuit, one Internet. Except perhaps for 5-10-person small offices, e.g. sales offices.
NE opens up the possibility of doing regionalized SD-WAN into Equinix sites and using Equinix ECX connections for secure international backbone. This might provide economies of scale as far as pricing, compared to trying to get say global MPLS coverage from one provider. It might also facilitate working with national carriers, e.g. in APAC, rather than with pass-thru from a U.S. based circuit provider. It also avoids doing VPN across the global Internet.
Another area of opportunity is your hybrid cloud approach. What I’ve seen so far tends to be rather “ad hoc”. Organizations get physical connections from one or more datacenters, typically into one of AWS or Azure, then 6 to 12 months later, the other of the two. Office365 performance may then drive getting ExpressRoute for O365 from Azure. Each physical connection takes time to set up, delaying IT modernization projects.
Doing this via NE gets you connectivity where you can add cloud / SaaS connections quickly, assuming the CSP / SaaS provider has ECX connectivity, of course. You can do this within regions and use Equinix’s high-speed low-latency connectivity to tie regions together. The alternative is to use VPN or circuits back to your datacenter(s) to interconnect different CSPs.
Generic Use Cases
Here are some terse use case descriptions.
New markets. If you’re adding offices, especially in a new region or country, you can connect them to a NE virtual device, and use ECX to connect that back to the rest of your WAN.
Interconnect hybrid clouds via Equinix, using their high-speed low-latency connectivity to CSPs (e.g. for data replication). In this case, ECX and NE provide the speed, and you only use the VPN connectivity to manage the devices. You might use this for a couple of months to finish an initial replication, then disconnect since follow-on replication would only send changes, having much lower volume.
Cloud-to-cloud migration is a variant of that. Use Equinix to avoid waiting for a circuit and consuming circuit bandwidth into one of your sites.
SD-WAN Branch to cloud: use SD-WAN to access regional virtual devices, and from there cross high-speed low-latency circuits to cloud. This might use ECX for the cloud connection, rather than running a virtual SD-WAN device directly in the cloud.
Right now, NE gives you one virtual device with virtual Internet and ECX connections. I have heard that Equinix is working on the obvious next step: interconnection of multiple virtual devices within NE (some sort of service chaining or virtual network plumbing). Think router + firewall + load balancer.
The other big thing for some organizations these days is shifting CapEx to OpEx. Equinix Network Edge would be OpEx “for the win”.
There’s one other thing one might wish for: agile options for physical connections into ECX and NE. Imagine being able to rapidly set up an ECX connection from your existing MPLS network / provider!
What You Get
The Network Edge documentation tells you what you get:
- Virtual device
- Infrastructure sized for your device and vendor
- Virtual port pre-configured into ECX to connect with CSPs and other Equinix platform “members”
- Small block of public IP addresses
- Small starting amount of dedicated Internet access to SSH or VPN to the virtual device) — adjustable in the future
- ECX itself provides up to 1 Gbps and 10 Gbps connectivity.
- NE: initial licensing is 500 Mbps to 1 Gbps. Equinix has engineered the compute resource commitment scale so that the NFV device provides sufficient throughput (always a factor to consider with virtual devices).
- Equinix blog: Virtually Modernize Your Network In Minutes
- Equinix blog: Why Network Functions Virtualization Should Be Part of Your Infrastructure Strategy
- Equinix blog: The Evolution of Networks from Hardware to Software Using Virtualization
- Summary article about NE
- Equinix NE Data Sheet
- Equinix NE Documentation
- Equinix NE Free Trial (14 days)
- My prior blog: Getting Well Connected via Equinix
- My prior blog: Is Equinix Performance Hub Part of Your Future WAN?
- My prior blog: SD-WAN Plus Equinix Equals Global WAN
- My prior blog: WAN Design Is Changing: What That Means for You
Comments are welcome, both in agreement or constructive disagreement about the above. I enjoy hearing from readers and carrying on deeper discussion via comments. Thanks in advance!
Hashtags: #CiscoChampion #TechFieldDay #TheNetCraftsmenWay #Equinix #NetworkEdge #SDWAN #Cloud
Did you know that NetCraftsmen does network /datacenter / security / collaboration design / design review? Or that we have deep UC&C experts on staff, including @ucguerilla? For more information, contact us at firstname.lastname@example.org.