Virtualization Technology News and Information
Countering the Hype in Enterprise Edge Connectivity - Going Back-to-Basics (Part 2 of 2)
This post is the second article in a two-part blog series discussing the evolution of enterprise connectivity. If you missed the first part, you might want to check it out. In the first article, we examined changes in the enterprise connectivity landscape and laid out the new set of requirements resulting from these changes. In this second article, we look at the classes of solutions available today and provide our views on how the market could evolve. 

AvidThink has looked at the concept of the universal enterprise fabric in the past. We first introduced our tongue-in-cheek concept of Fabric for Universal Networking (FUN) in an article related to SD-WANs, and then again, when we examined the introduction of Gartner's SASE. In some ways, enterprises have been seeking the holy grail of connectivity forever: a fabric that connects disparate locations, users, devices, and applications together in a unified network. Despite these years of efforts, it continues to elude our grasp.

In this post, given the context of the new requirements we covered in the first article, we evaluate today's enterprise connectivity options and gauge their likelihood of achieving that holy grail.


Here, we're not talking about multi-protocol label switching (MPLS) VPNs. MPLS VPNs provided by communications service providers (CSP) guarantee isolation and segregation but don't usually reach servers inside data centers, private or public, nor do they handle mobile locations. We're talking, instead, about the mainstay IPsec-based VPNs, as well as variants like SSL/TLS or DTLS (UDP-based) options.

These capabilities started in dedicated VPN concentrators and migrated into the firewall (FW) and next-gen firewall (NGFW) devices. Today, these pervasive FW/VPN and NGFW devices represent the preponderance of inter-site connectivity. Laptops and mobile devices run VPN clients that connect back to these devices on corporate networks to gain secure access. FW/VPN solutions have also embraced public clouds through virtual instances or integration with cloud gateways like Azure Virtual WAN or VPN gateway. However, FW/VPN-based solutions don't directly address connectivity to applications hosted on IaaS or PaaS clouds, unless VPN endpoint software is run on VMs hosting those applications.

Nevertheless, FW/VPN solutions today are still a viable method to connect enterprise sites, private clouds, public clouds, and mobile devices. The main challenge with the FW/VPN approach is generally the management of complex routing topology. Likewise, managing the encryption keys, policies, and configuration across all these endpoints can be challenging at scale.

Building up a distributed network of IPsec endpoints can be difficult. Often, many implementations still backhaul traffic to central corporate data centers, which unnecessarily adds latency, potentially creates congestion, and contributes to additional points of failure. Further, the IPsec implementation footprint can sometimes be too much for smaller IoT devices.

Many FW/VPN offerings also have legacy vulnerabilities and aren't built on a zero-trust foundation, which can make them easier to breach and exploit. For instance, the recent Fox Kitten campaign, which leveraged vulnerabilities across a wide range of major FW/VPN vendors to penetrate a number of companies worldwide.

Network Virtualization/SDN Fabrics

While edge connectivity was evolving, the data center saw its fair share of changes too. With the increasing use of VMs, the need for an overlay network became important. The arrival of software-defined networking (SDN) and network virtualization (NV) created another option for enterprise-wide connectivity. The use of encapsulation techniques like VXLAN, GRE, NVGRE, GENEVE formats helped usher in a wave of overlay networks. These allowed networks to span multiple servers, racks, and in some cases, data centers.

Many of these NV solutions work well within data centers but find themselves challenged when faced with crossing data center boundaries, especially into public clouds. Likewise, these solutions generally aren't designed to bridge into enterprise branch locations, nor mobile locations, or serve IoT devices. Some major NV providers are trying to unify connectivity across all these locations, but they are works-in-progress and will take time to realize. Having said that, some of this SDN architecture has spilled over into another domain, that of the SD-WAN.


Indeed, one of the major contenders for the universal fabric is software-defined wide area networks (SD-WAN). When SD-WANs came on the scene, they subsumed much of the functionality that enterprise edge devices provide, such as firewall, VPN, WAN optimization, and routing, but with SDN principles to improve scale and agility. While most SD-WANs also depend on IPsec for setting up encrypted links between locations, their cloud-based controls, and single management pane reduce a lot of the complexity associated with existing FW/VPN/edge router setups. The added ability to effectively manage multiple links for increased reliability and performance at a cost-effective price point has made SD-WAN one of the hottest enterprise networking trends in recent years.

However, SD-WAN solutions vary quite significantly in their handling of public clouds. While most SD-WANs provide virtual instantiations of their edge platforms that can be brought up in public clouds, deployment of these virtual edges and configuration of them can be complicated, and not always automated to the extent desired for Cloud first enterprises. Some SD-WAN vendors are now offering integration into public cloud networks, such as built-in support for Azure virtual WAN and AWS Transit Gateway. However, some of these vendors still rely primarily on IPsec as the primary mode of connectivity to cloud that does not scale nor perform and pose an operational challenge  as mentioned in the earlier sections.

Even as SD-WANs continue to rise in importance, many SD-WAN solutions today still do not treat mobile users as first-class citizens. SD-WANs often offer no option for roaming users to connect. Likewise, the implementation footprint of SD-WAN solutions is quite large, making support for IoT devices unwieldy. Given the amount of hype and investment in this area, though, AvidThink expects SD-WAN to evolve into a strong contender for the role of universal connection fabric.

Cloud Native Networking Approaches

The currently unfulfilled demands of a unified enterprise fabric that meets all the requirements described in our initial post have attracted new players. SD-WAN and SDN/NV solutions are evolving to match more of the requirements, improving security and end-to-end quality-of-experience. Meanwhile, there is a new class of cloud-native secure networking solutions emerging.

These solutions connect apps to apps and users to apps, over the Internet, without the enterprise deploying any bespoke hardware. This is markedly different from site-to-site approaches including MPLS WAN, SD-WAN and VPN. An example of app-to-app cloud native networking initiative is Nebula, an open-source project from Slack that's attempting to build a global overlay network solution using host-based agents to more agilely and securely connect nodes over the internet. Similar to how we saw Envoy emerge from Lyft, based on Lyft's need to run containerized architectures as scale, Nebula has risen due to Slack's need to connect application nodes at scale without VPNs.

A similar cloud native networking solution as Nebula, but focused on user to app interaction, is Project Ziti. NetFoundry, who is a CNCF member, has built NaaS services on top of Ziti to enable enterprises to extend private networks over the Internet for initiatives such as  IoT, edge and multicloud, without deploying networking hardware or dedicated circuits.  NetFoundry's NaaS services offer a zero hardware deployment model, similar to AWS, Azure and GCP cloud compute (IaaS). NetFoundry customers can spin up private networks, while NetFoundry orchestrates and manages the overlay fabric.  The private networks feature zero trust security for applications and SASE security for sites; and provide optimized Internet performance across NetFoundry's managed Fabric.

Additional Considerations

As we wrap up this 2-blog series, I want to call out that we've only touched on a fraction of the requirements from the first blog. There are numerous other nuances and details that these solutions have to be evaluated against.

For example, we see increased demand from enterprises for an enhanced internet through private or tightly-managed backbones. End-to-end quality-of-experience (QoE), especially as it comes to cloud-hosted VPCs or SaaS applications, has become more critical for enterprises.

Many of the SD-WAN approaches we described above can be coupled with an Internet QoE optimization solution such as Mode or Teridion. Mode leverages an Internet overlay fabric, built on Ericsson's Unified Delivery Network (UDN), coupled with Mode's optimization algorithms.  Teridion and NetFoundry built cloud native overlay fabrics to pair with their respective Internet optimization algorithms. Both Teridion and NetFoundry (as part of its NaaS) are also available as standalone solutions. Gartner included NetFoundry, Mode and Teridion in a group of 7 Internet optimization solutions which Gartner says will take 30% of the cloud interconnect market from MPLS-based solutions.

I would recommend that readers evaluate the set of available options thoroughly against their own specific requirements. Both cloud native app networking and evolving SD-WAN solutions bear watching as they evolve their offerings to meet emerging customer needs for the difficult to deliver combination of zero trust security and enterprise-grade QoE over the Internet - closely tying into Gartner's SASE framework and our Fabric for Universal Networking trend. In future articles, we'll continue to examine the new challenges in enterprise edge compute and dig a little deeper into related topics, so stay tuned!


Disclosure: We at AvidThink are grateful to NetFoundry for their support of this blog series. Independent of sponsorship, AvidThink has made every attempt to provide an unbiased view of the existing enterprise connectivity space. Reach out to us at with your feedback and questions.

About the Author

roy chua 

Roy Chua is founder and principal at AvidThink, an independent research and advisory service formed in 2018 out of SDxCentral's research group. Prior to co-founding SDxCentral and running its research and product teams, Chua was a management consultant working with both Fortune 500 and startup technology companies on go-to-market and product consulting. As an early proponent of the software-defined infrastructure movement, Chua is a frequent speaker at technology events in the telco and cloud space and a regular contributor to major leading online publications. A graduate of UC Berkeley's electrical engineering and computer science program and MIT's Sloan School of Business, Chua has 20+ years of experience in telco and enterprise cloud computing, networking and security, including founding several Silicon Valley startups. He can be reached at; follow him at @AvidThink and @WireRoy

Published Tuesday, April 21, 2020 7:34 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2020>