The concept of local internet breakout is a concept that’s been tossed around for decades. Sure, maybe you know a guy, who knows a guy that talked to a guy who deployed it once, but that’s about as close as any of us have come to see it in a production environment. Prior to being an analyst, nearly 20 years ago, I was a network engineer who ran networks of various sizes and had wanted to do local Internet breakout even back then. The benefits are obvious as it optimizes network bandwidth and application performance. Traffic meant for the data center from a branch should traverse the wide area network (WAN) and sessions that are bound for the cloud should go directly to the internet.
Why Local Internet Breakout Hasn’t Yet Gone Mainstream
Doing local internet breakout with a traditional MPLS hub-and-spoke type of network was overly difficult as the MPLS connections weren’t really designed for split connections. However, the rise of software-defined WANs (SD-WAN) has made this possible as the broadband connections are optimized for direct-to-internet connectivity. Even in hybrid configurations, network professionals can architect the WAN so on-net traffic uses the MPLS connection and cloud-destined traffic runs over broadband.
One challenge remains with local internet breakout and that’s security. Even if the complexity issues had been solved, the security issues are so daunting that it’s unlikely businesses would ever have shifted to that architecture. Historically, there hasn’t been a cost-effective way of securing a local internet connections from every branch office. Businesses would ultimately be faced with purchasing a firewall for every location. In fact, to ensure resiliency, it’s likely that two firewalls would need to be deployed. In addition to a firewall, it’s likely the company would also want to deploy a range of other security devices to mirror the DMZ in the data center. The cost of doing this with conventional hardware appliances could easy eclipse tens — or even hundreds — of thousands of dollars per site.
Companies are forced to compromise between extraordinary costs or subpar performance. Fortunately, there are solutions today that enable companies to leverage the benefits of split tunneling without having to break the bank on security and that comes in the form of virtual services.
Enabling Secure Local Internet Breakout
The traditional security model was to deploy one function per appliance per site because the service was tightly coupled with the underlying hardware. Virtual services decouple the security functions from the hardware and allow them to be run in a virtual machine on any device. This includes WAN optimization devices, commodity servers, conventional routers or SD-WAN appliances. Alternatively, all the traffic could be run through a cloud provider and the security policies provisioned as a cloud service. Conventional thinking is that the security features should be deployed in the branch itself, but if the first hop is always to a cloud provider, then having the security functions one hop away makes no difference.
The virtualization of security services has many benefits. The first and most obvious is cost. Virtual security functions typically cost a fraction of a dedicated appliance as there is no custom hardware to buy. Another benefit is service agility. As an example, consider a business that deploys a hybrid SD-WAN but isn’t ready to implement local internet breakout. After a period of time, network operators become comfortable with this model and seek to test it across a few locations. With traditional security appliances, the hardware platforms would need to be ordered, shipped and an engineer travel to the sit to manually configure each device at each site. Virtual services can be spun up immediately so the infrastructure requirements are no longer impeding the business. One last benefit is that maintenance and upgrades are easier to do. Because the security functions are software, upgrades can be scheduled and automated across all sites.
There are many benefits to local internet breakout that range from cost efficiency to significantly improved SaaS performance. Despite the strong value proposition, productions deployments are rare and the complexity of implementation can be overwhelming. The virtualization of security functions makes it much easier to deploy whatever security services are required, wherever the company wants. Finally, local internet breakout can become a reality for companies looking to securely and directly connect branch workers to SaaS applications and IaaS instances.