Read stories on CoherentLight about: Local Internet Breakout
What is Local Internet Breakout?
In the past, maintaining corporate security used larger centralised gateways to the Internet. These central portals provided not only firewalls but proxy servers, antivirus and other functions. As the volume of Internet sourced/destined traffic increases, it’s no longer viable to support carrying this across the corporate network. Instead, you should remove it from the business network as close to the user as possible.
Removing traffic from the network core is what Local Internet Breakout delivers.
Why is it better?
Moving Internet traffic to a local breakout can minimise the volume of traffic on the corporate network by up to 50% (based on information from Aryaka‘s State of the WAN report), providing room for growth in the core enterprise network.
How does it work?
Using commodity Internet bandwidth at each site provides access to the Internet. Direct Internet access is available to applications hosted on platforms such as Amazon‘s AWS, Microsoft‘s Azure and Office 365, and Google Docs and Cloud Platform. Direct connection improves response times, as greater parts of the traffic’s journey are on the Internet with higher bandwidth links. It also avoids paying multiple times for the same traffic as it travels across the network.
This link needs protection, as the Internet contains a few malicious people keen on exploiting any avenue into a corporate network. You can now offer a coherent firewall policy at each site, with tools orchestrating many dispersed firewalls. Cheap firewalls and low-cost Internet access using ADSL or fibre delivery deployed at each location reduce costs.
While costs can be higher both for firewalls and orchestration; this is offset with the reduction in the cost of the core network. It can even pay for additional systems needed to provide centralised logging and analysis that dispersed solutions need for proper management.
What are the challenges?
To achieve the gains of using Local Internet Break out requires some careful thought and planning. Just connecting an Internet connection to the site is not the way to enable this, it needs consideration on a network-wide basis, especially if implemented not at the site-by-site level, but at regional hubs. Consider the following items:
- Propagating the default route and the impact on routing tables
- Edge security, is providing a NAT boundary enough?
- What about IPv6 (which doesn’t NAT)
- Automated tooling for monitoring and management to scale across many sites
- Additional local appliances (physical or virtual) for security or use the cloud?
What of the future?
The use of cloud applications such as Microsoft Office365, the spread of the Internet of Things, and web hosted micro-services accessed via JSON, and RESTful API calls will continue to drive up direct Internet bandwidth, and it makes no sense to carry this traffic on the corporate WAN.
Why have this Internet traffic conflict with the things you need to send to your data centre, just to emit it into the Internet from a central point?