Overcoming Connectivity, Performance & Security Issues in Regions Like China
November 15, 2021
Share this article
SD-WAN Regional Design with SASE Architecture
Many enterprises that have branches in remote and poorly connected regions, such as China, experience significant connectivity and performance issues when accessing services and data hosted outside of those locations. For example, from a bandwidth and security perspective, China’s local internet heavily restricts communication outside of the country, causing severe problems with secure connectivity to applications in data centers or cloud locations in other regions.
Implementing a modern SASE (Secure Access Service Edge) architecture from these branches requires the traffic to go via Cloud Security Providers (CSPs), such as Zscaler or Palo Alto Networks Prisma. However, these services do not adequately address performance problems. That’s because branch users send the traffic via the CSP node in China, resulting in the same performance and connectivity issues after the CSP puts the traffic back on the internet.
These same connectivity issues also affect SaaS. SD-WAN vendors cannot ‘spin up’ virtual machines (VMs) in SaaS clouds, and some SaaS solutions are only in a single cloud or a few locations. They also have other restrictive requirements, such as a maximum of 150 milliseconds Round Trip Time (RTT). Bearing in mind that RTT from China/Africa/Australia to Europe alone is well over 200 milliseconds, how could an office in China, or South Africa, for example, connect to SaaS applications based in Europe or the United States?
Although several solutions can address connectivity issues, the performance issues will remain. These connectivity solution options include:
1 – MPLS (Multiprotocol Label Switching) Provider
An MPLS provider will guarantee connectivity. However, the downside is low performance and bandwidth, slow deployment and, as MPLS is needed at each branch, this solution is also expensive to implement.
2 – Microsoft Azure vWAN
While Microsoft Azure vWAN guarantees connectivity and is fast to deploy, similar to MPLS, performance is low and bandwidth is low to moderate. It also requires manual IPSec (Internet Protocol Security) tunnels from each branch, which is expensive to deploy.
3 – Cloud-Based SD-WAN
Cloud-based SD-WAN benefits from fast deployment, guaranteed connectivity and performance improvements. However, this option can also be expensive to deploy, and bandwidth can be moderate.
A Better Way Forward with Teneo
At Teneo, we’ve created an alternative service based on an Aruba/Silver Peak Regional Design with a SASE architecture. With this solution, each region has several hubs, which can incorporate specific sites or data centers with communication between the areas implemented via the hubs. Each region will also provide separate treatment of business applications, which in Aruba/Silver Peak EdgeConnect terms means the Business Intent Overlays (BIOs) and the IPSec SD-WAN topology are region-specific.
Internet browsing can be done via the CSP. For example, with Zscaler, each branch’s EdgeConnect in China builds an IPSec tunnel, which is automatically configured via the Aruba Unity Orchestrator API, to the closest ZEN node(s) (Zscaler Enforcement Nodes) in China for local internet sites only. See the green path from BR-2 on the below diagram.
Each branch’s EdgeConnect in China has ‘SD-WAN connectivity’ via the hubs to the closest International ZEN nodes (such as Hong Kong or Singapore) for secure browsing of all international internet sites. See the yellow path from BR-2 on the below diagram.
This ‘split’ is a design based on Aruba’s Business Intent Overlay (BIO) technology and delivers a SASE (Secure Access Service Edge) architecture to improve security, connectivity, and performance.
China branch connectivity to corporate data centers, and applications (outside of China) are delivered via the hubs utilizing the SD-WAN Fabric and supporting all SD-WAN features. This includes FEC (Forward Error Correction) for packet loss mitigation; performance-aware routing based on link bonding policies; redundancy; and WAN Optimization (Data Duplication and Application Acceleration). The blue path in the diagram below represents China branch connectivity to the data center or another branch (in or outside the China region).
This solution brings numerous connectivity and performance improvements, including enhancements to security, connectivity and network, SaaS and remote user connectivity optimization, and cloud cost reduction.
Testing based on 30 days of live traffic monitoring by Teneo on an enterprise network with 18 sites in China, connecting to services in London, UK, produced the following results:
SD-WAN Regional Design and Traffic Paths
Could such a regional SD-WAN design with a SASE architecture help you to overcome connectivity, performance and security issues in regions like China, too?
This website uses cookies so we can provide you with the best user experience possible.
Cookies are small files containing information that enables a website to recognise you. They’re downloaded to the device you use when you visit a website and sent back to that website each time you re-visit, or sent to another website that recognises the same cookie.
Our cookie policy tells you how and why we use cookies, and how this allows us to improve your online experience. You can read our full Cookie Policy here.
Strictly Necessary Cookies
Strictly necessary cookies include session cookies and persistent cookies. Session cookies keep track of your current visit and how you navigate the site. They only last for the duration of your visit and are deleted from your device when you close your Internet browser. Persistent cookies last after you’ve closed your Internet browser and enable our website to recognise you as a repeat visitor and remember your actions and preferences when you return.
Third Party Cookies
Third party cookies include performance cookies and targeting cookies. Performance cookies collect information about how you use a website, e.g. which pages you go to most often, and if you get error messages from web pages. These cookies don’t collect information that identifies you personally as a visitor, although they might collect the IP address of the device you use to access the site. Targeting cookies collect information about your browsing habits. They are usually placed by advertising networks such as Google. The cookies remember that you have visited a website and this information is shared with other organisations such as media publishers.
Keeping these cookies enabled helps us to improve our website and display content that is more relevant to you and your interests across the Google content network.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Privacy Policy
Whenever you give us your personal data, you must consent to its collection and use in accordance with our privacy policy. This includes our use of cookies. You can read our full Privacy Policy here.