Technology is evolving at unprecedented speeds. But with all the changes and advancements, one thing that seemingly never changes is enterprise Internet edge architecture. Enterprise Internet edge architecture is how a corporation’s network connects to the Internet. At the simplest level, a service provider’s edge connects over an access circuit to the enterprise edge which lives in the corporate data center. The enterprise edge architecture contains the corporate security systems and supplies connectivity to the corporate WAN.
But change is inevitable, even with enterprise Internet edge architecture. Over the past 12 months, the two main drivers for these changes have been the Cloud and increased security risks. It’s the first shift in this design that I’ve seen in my career.
The Cloud is driving enterprises to a more distributed Internet edge architecture because users need to access information as quickly as possible. Hair pinning traffic through a centralized corporate data center is no longer efficient since it adds both latency and additional network hops. Likewise, the increased security risks, particularly large-scale DDoS attacks, are making the legacy architecture archaic, as enterprises are monopolizing data center resources and access to those resources on packets that should be dropped upstream (who really needs a 500Mbps DDoS attack traversing their local access circuit?).
Corporations relying on the Cloud are distributing their edge by adding next generation firewalls to remote offices or leveraging provider based network firewalls for greater distribution. Minimizing latency makes for a more efficient Cloud and more productive people. Level 3, for example, has direct connections with many of the largest Cloud providers, meaning that an enterprise using our Internet Services would be able to access those Cloud Services without first routing through a corporate data center, meaning much greater efficiency.
Distributing at the edge is great for the end user, but what about those major services that live in the data center such as email, DNS, web servers, or VoIP servers? The Internet edge architecture is evolving to operate a more efficient environment for these services as well and the material shift is integrating corporate security into the provider’s Cloud (or as close as the enterprise can get). This integration allows for a more efficient use of assets as firewalls, IDSs, and load balancers are moved up near the provider’s core, typically within the provider’s gateway. In this way, all filtering is done before any packets even touch the local access circuits.
For example, if an enterprise currently has a 1 Gbps Internet circuit from their ISP and this enterprise has a 5 Gbps DDoS attack, their access circuit will be flooded with useless traffic. But, by moving their security equipment into the provider’s gateway, they can use a larger access circuit in the gateway, filter out any attack packets, and send only clean traffic down the same 1 Gbps access circuit. This edge architecture design allows for the most efficient use of both the providers edge and enterprise edge. Larger access circuits with low committed access rates from the Internet provider allow for the enterprise to buffer large attacks closer to the source and keep unwanted traffic off of the local access circuit, while allowing the enterprise to keep control of their firewalls, IDSs, and load balancers.
Here are some visuals describing the evolution…
So, as enterprises continue to move applications to the cloud and security risks evolve, the Internet edge architecture will need to be evaluated by every enterprise. Is it time to asses where your network is being secured? Would your application performance improve by moving security closer to the provider? Would you like to stop threats before they even enter your data center? If you answered yes to any of these questions, then perhaps it is time for your edge architecture to evolve.