Even though marketing machines would have you believe otherwise, networking professionals are only starting to...
toy with the idea of cloud computing. Entrusting the crux of wide area networks (WANs) -- secure sockets layer virtual private network (SSL VPN) gateways -- to the cloud is a big leap for network engineers, but cloud VPN services are popping up and may suit enterprises that can't afford or can't properly maintain thousands of dollars' worth of global remote access infrastructure.
Cloud VPN services fit best in enterprises "where you have a remote user population that will fluctuate between regions of the world, especially where their access network is not unified -- say, it's not being provided by a single ISP," said Michael Suby, director of Stratecast, a division of Frost & Sullivan. "When you don't have control of the Internet provider, then you … have some limitations, in terms of what you can guarantee [as far as] performance characteristics."
End users traveling overseas and trying to gain access to the enterprise's SSL VPN gateway at corporate headquarters are often frustrated by inconsistent VPN performance, Suby said.
"Executives [who] are making these trips -- they're being paid well and their time is money," he said. "Having a consistent experience -- one that you can count on for reliability -- is a key attribute."
Even though latency will always be an issue across the WAN, he added, using a service provider's cloud VPN service means end users could log into the network via a closer gateway and hit the fast lane -- the provider's MPLS network -- instead of getting jammed up in Internet traffic bottlenecks.
"You can't break physics," Suby said. "It's a matter then [whether] you ride along a managed network service for the length of Hong Kong to San Francisco or [whether] you go through the Internet, which could be several ISP networks and several peering points -- so [you have] potentially more hops creating the potential of performance degradation."
As with any cloud-based services, enterprises reap the savings of not having to buy equipment or hire employees to maintain them. It's also one fewer box for a WAN manager to monitor. But beware of "provider lock-in" with contracts, Suby said.
"[Enterprises] may say, 'There's this next-generation SSL VPN that has a better mixture of feature characteristics better suited to my needs. I want that,' but the service provider says, 'Our platform doesn't offer that,'" he said. "[On your own], you have some flexibility if you want to be nimble."
Cloud VPN service relieves one-man networking team
For at least one global enterprise, the decision to replace in-house remote access equipment with a cloud VPN service was a question of scale and cost.
As the only networking support for Williams Controls Inc., a Portland, Ore.-based manufacturer of electronic throttle controls for commercial vehicles, network engineer Paul Nutter cannot be everywhere at once.
"It's a little difficult [to ensure remote access reliability]," Nutter said. "[I] don't do 24 hours a day here, and we've got people working around the clock [in our Chinese and German offices]."
When the company first started to realize about nine years ago that employees would need remote access to the Williams network while traveling abroad, its initial solution would now send shivers down the spine of anyone accustomed to high-speed connections -- dialup modems and terminal servers.
"We didn't use remote access very much, so when they were off the network, they were disconnected," Nutter said. "It was access to email mostly that drove [investing in remote access]. People were being disconnected when they'd use the dialup. It was so bad that [headquarters employees] would have to read them their emails over the phone."
After consulting with his telecom support team, Nutter turned to Virtela Communications, a managed service provider that recently began guaranteeing "100% global availability" for its cloud VPN services -- promising credit to any customers whose remote access speeds fall below their service-level agreements.
Although he initially felt "pretty iffy" about outsourcing something so critical, Nutter started off slowly about five years ago -- first with the SSL VPN gateways. Virtela quickly proved its worth, and Nutter now uses the service provider for all WAN connectivity.
Whether they're logging on from the manufacturing plant in Suzhou, China, or the sales office in Sauerlach, Germany, Nutter's users go through one of Virtela's local SSL VPN gateways attached to its MPLS network, bypassing traffic on the public Internet.
"The dialup connectivity wasn't working for us, obviously, and trying to man a data center 24 hours a day was fairly cost prohibitive," he said. "I'm basically it, so it makes it a whole lot easier if we do outsourcing."
Limited market still for cloud VPN services
If you're shopping for a true cloud offering, there are not yet many options. Traditional telecom carriers offer managed services for customer-owned and premise-based equipment, Suby said.
Although "cloud" is often thrown around as a branding strategy, he said, only two service providers, Virtela and ANXeBusiness, operate their SSL VPN gateway solutions as a true multi-tenant cloud VPN service -- hosting, managing and maintaining the equipment and services that are shared among multiple customers.
Cloud VPN services free up customers from buying or maintaining any equipment -- including gateways, load balancers and firewalls -- according to Kathy Lynch, product manager at Virtela. Turning a capital expense into an operating expense appeals to many enterprises that don't have their own systems in place, she said.
"A single gateway can cost anywhere from a baseline of a few thousand dollars to $10,000, depending on how many end users you need," Lynch said. "We also build security event correlation into our design…. If a user wanted to do that on their own, these systems start at $50,000 to $60,000 alone."
Once a user tries to log into a Virtela gateway in North America, Asia-Pacific or Europe, the provider's network determines the routing path of least resistance and puts the end user on the closest and freest gateway, she said. Individual connections are virtualized and separated for security purposes.
"We integrate that with our MPLS infrastructure," Lynch said. "It really and truly provides a better means to ensuring that the end user's experience isn't compromised."
Let us know what you think about the story; email: Jessica Scarpati, News Writer