AWS, Azure & Co: Drivers for virtual routers and SD-WAN

In times of constantly growing demands on company IT infrastructures, the importance of using the available resources efficiently cannot be understated. A growing trend in recent years is the outsourcing of IT services to the data centers and clouds at Amazon, Microsoft and Co. At companies of all sizes, this continues to be a driving issue for admins and IT managers.

But outsourcing needs careful planning. Apart from selecting the “right” provider, one vital question is at the top of the agenda: How do you securely integrate the new cloud services into your company’s own infrastructure? How do you ensure that no data is lost, accessed or manipulated during transport between the company and the cloud data center?

The key is a secure tunnel directly from the company to the cloud service. This is realized conventionally with virtual private networks (VPN), a technology used for years in both the public and private sectors for securing connections between multiple locations.

Virtual private networks guarantee security

Secure connectivity to the data center and between the various company locations is essential protection against cyber attacks and industrial espionage. It is also vital for the secure transmission of company data from A to B, or for encrypted access to databases and files on remote company servers.

The well-established method of using a VPN connection for transfer and access has become standard for protecting these sensitive or mission critical data or databases. The functionality is simple: An end-to-end IPsec-based tunnel is created between the user and the application for transferring data in both directions. Users with access to the secured VPN tunnel can access the data online from anywhere once the secured connection to the database/system has been established.

“Conventional” VPN infrastructures are hardware-based, with a router operating as a VPN endpoint at each end of the tunnel. Smaller branch offices are usually equipped with compact, all-round devices. In technically referred to as “CPE” (customer premises equipment), these routers feature additional DSL, Wi-Fi, or VoIP functionalities. Larger sites where the tunnels from the branch offices converge are equipped with VPN gateways or even concentrators to terminate the tunnels securely. Providing secure connectivity to mobile employees requires specialized software, i.e. a VPN client.

Hardware VPNs and their limitations

Although conventional VPNs with their company routers and gateways work extremely well, the limitations of purely hardware-based solutions become apparent when connecting to one of the large cloud providers, such as VMware, Microsoft Azure or Amazon Web Services (AWS). It would be unthinkable to send a router to one of these “giants” and request that they set it up in their own data center as a secure, trusted tunnel endpoint for the exclusive use of your own company. Equally unthinkable, however, is working without VPN.

The solution is a virtualized VPN router at the remote site, i.e. software on a virtual machine: It provides almost the same functionality as its hardware counterpart, while providing many benefits such as extreme versatility, scalability, and failure safety that go far beyond the functionality of simple VPN software clients:

A virtual router (or vRouter) is a piece of software that replicates the functionality of hardware-based routing, which normally uses dedicated hardware. As virtual routing liberates the IP routing function from specific hardware, routing functions can be more freely moved around a network or data center. Also, they can be dynamically configured, automated or adapted to the needs of the network, which means higher flexibility. It can be run on any standard commercial off-the-shelf (COTS) server with the advantage of reducing costs for hardware and increasing interoperability, rather than requiring a proprietary platform.

A virtual VPN router is able to establish a secure VPN tunnel between a corporate network and public cloud computing offerings to prevent data from being compromised or even the loss of sensitive information.

The major cloud providers like AWS & Co. offer their own VPN services. However, for many companies these are simply no alternative, due to the question of confidentiality, or even strict compliance guidelines. And operating cloud solutions from different vendors across multiple virtual machines is a major impediment to network management. It is impossible to centrally manage a heterogeneous VPN network with a divergent range of components. The solution to the problem is a scalable, versatile vRouter at each end of the tunnel.

Silver bullet: vRouters combined with SD-WAN

When it comes to the challenge of combining homogeneous management with secure connectivity, the vRouter offers an elegant solution. But if you want to make the most of the advantages of using public cloud services, in particular the flexibility to book (or cancel) services and resources as you need them, then you need more than just a secure and trusted network—you need to be able to react quickly to new demands and new requirements. And this is exactly where standard VPNs (including “conventional” vRouters) reach their limits.

Setting up new VPN tunnels—best of all with virtualization and advanced networking capabilities—is a complex and time-consuming exercise. Expanding a conventional VPN is often a full-blown IT project in itself. Which is in stark contrast to the flexibility and agility of cloud-based resources and services.

SD-WAN resolves this conflict by providing scalable and flexible software-defined networking at the remote site, a solution that adapts to meet almost any needs. The complexity of setting up VPN connections means there are obvious benefits to using SD-supported, automated network setup.

The installation, configuration, and monitoring of classical VPNs requires IT admins who have to manually configure and manage each device, be it a central-site gateway or single VPN router. With SD-WAN, administrators are able either to replace costly MPLS infrastructures and shift to cheaper Internet connections such as DSL or fiber, or to optimize existing VPN infrastructures. SD-WAN combines the reliability of MPLS networks with the financial advantages of VPNs using inexpensive landline or mobile connections – further adding ease-of-use, agility, visibility and an extra layer of security and control. The flexible nature of an SD-WAN also enables organizations to reduce resource over-provisioning and eliminate travel costs for on-site technicians, which in turn can further reduce operational WAN costs (OPEX). The cheaper and more flexible VPNs also run on a virtual router. Virtual VPN remote sites enable a homogeneous VPN infrastructure for companies, which are easy to scale and manage centrally.

Application scenarios

Companies actively looking to outsource their IT services to public clouds need to think about some important issues up front: What kind of connection do we need? Is our existing VPN infrastructure up to the job? If not, which solution gives us the flexibility we need to follow this path?

Basically, a virtual router offers advantages when you are outsourcing from your own data center to the cloud, i.e. in any situation where a company needs to move an environment to the cloud temporarily or in the short term. Examples of this include load-overflow or backup systems, special tests, and campaigns.

A VPN solution has to offer the basis for planning and future proofing that supports all of the approaches mentioned here. And this is precisely what LANCOM fulfills with their combination of professional hardware, vRouter and the LANCOM Management Cloud (LMC) for software-defined WAN.



Take a look at our technology website about SD-WAN and the supported LANCOM portfolio for more information:

No Comments Yet

Leave a Reply

Your email address will not be published. Required fields are marked *

When you leave a comment, the system automatically stores the following data:

    • your name or your pseudonym (mandatory information / will be published)
    • your e-mail address (mandatory / will not be published)
    • your IP address (the IP address will be deleted automatically after 60 days)
    • date and time of the comment submitted
    • a website (optional)
    • your comment text and personal data contained therein
    • I also agree that all personal data entered together with my IP address will only be checked and stored by the Akismet spam filter in the USA for the purpose of spam prevention. Further information on Akismet and revocation options can be found here.